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Abstract 

Informally,  steganography  refers  to  the  practice  of  hiding  secret  mes¬ 
sages  in  communications  over  a  public  channel  so  that  an  eavesdropper 
(who  listens  to  all  communications)  cannot  even  tell  that  a  secret  message 
is  being  sent.  In  contrast  to  the  active  literature  proposing  new  concrete 
steganographic  protocols  and  analysing  flaws  in  existing  protocols,  there 
has  been  very  little  work  on  formalizing  steganographic  notions  of  secu¬ 
rity,  and  none  giving  complete,  rigorous  proofs  of  security  in  a  satisfying 
model. 

My  thesis  initiates  the  study  of  steganography  from  a  cryptographic 
point  of  view.  We  give  a  precise  model  of  a  communication  channel  and 
a  rigorous  definition  of  steganographic  security,  and  prove  that  relative 
to  a  channel  oracle,  secure  steganography  exists  if  and  only  if  one-way 
functions  exist.  We  give  tightly  matching  upper  and  lower  bounds  on  the 
maximum  rate  of  any  secure  stegosystem.  We  introduce  the  concept  of 
steganographic  key  exchange  and  public-key  steganography,  and  show  that 
provably  secure  protocols  for  these  objectives  exist  under  a  variety  of  stan¬ 
dard  number-theoretic  assumptions.  We  consider  several  notions  of  active 
attacks  against  steganography,  show  how  to  achieve  each  under  standard 
assumptions,  and  consider  the  relationships  between  these  notions.  Fi¬ 
nally,  we  extend  the  concept  of  steganograpy  as  covert  communication  to 
include  the  more  general  concept  of  covert  computation. 
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Chapter  1 


Introduction 


This  dissertation  focuses  on  the  problem  of  steganography:  how  can  two  communicat¬ 
ing  entities  send  secret  messages  over  a  public  channel  so  that  a  third  party  cannot 
detect  the  presence  of  the  secret  messages?  Notice  how  the  goal  of  steganography 
is  different  from  classical  encryption,  which  seeks  to  conceal  the  content  of  secret 
messages:  steganography  is  about  hiding  the  very  existence  of  the  secret  messages. 

Steganographic  “protocols”  have  a  long  and  intriguing  history  that  goes  back  to 
antiquity.  There  are  stories  of  secret  messages  written  in  invisible  ink  or  hidden  in  love 
letters  (the  first  character  of  each  sentence  can  be  used  to  spell  a  secret,  for  instance). 
More  recently,  steganography  was  used  by  prisoners,  spies  and  soldiers  during  World 
War  II  because  mail  was  carefully  inspected  by  both  the  Allied  and  Axis  governments 
at  the  time  [38].  Postal  censors  crossed  out  anything  that  looked  like  sensitive  in¬ 
formation  (e.g.  long  strings  of  digits),  and  they  prosecuted  individuals  whose  mail 
seemed  suspicious.  In  many  cases,  censors  even  randomly  deleted  innocent-looking 
sentences  or  entire  paragraphs  in  order  to  prevent  secret  messages  from  being  deliv¬ 
ered.  More  recently  there  has  been  a  great  deal  of  interest  in  digital  steganography, 
that  is,  in  hiding  secret  messages  in  communications  between  computers. 

The  recent  interest  in  digital  steganography  is  fueled  by  the  increased  amount 
of  communication  which  is  mediated  by  computers  and  by  the  numerous  potential 
commercial  applications:  hidden  information  could  potentially  be  used  to  detect  or 
limit  the  unauthorized  propagation  of  the  innocent-looking  “carrier”  data.  Because 
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of  this,  there  have  been  numerous  proposals  for  protocols  to  hide  data  in  channels 
containing  pictures  [37,40],  video  [40,43,61],  audio  [32,49],  and  even  typeset  text 
[12].  Many  of  these  protocols  are  extremely  clever  and  rely  heavily  on  domain-specific 
properties  of  these  channels.  On  the  other  hand,  the  literature  on  steganography  also 
contains  many  clever  attacks  which  detect  the  use  of  such  protocols.  In  addition,  there 
is  no  clear  consensus  in  the  literature  about  what  it  should  mean  for  a  stegosystem 
to  be  secure;  this  ambiguity  makes  it  unclear  whether  it  is  even  possible  to  have  a 
secure  protocol  for  steganography. 

The  main  goal  of  this  thesis  is  to  rigorously  investigate  the  open  question:  “under 
what  conditions  do  secure  protocols  for  steganography  exist?”  We  will  give  rigor¬ 
ous  cryptographic  definitions  of  steganographic  security  in  multiple  settings  against 
several  different  types  of  adversary,  and  we  will  demonstrate  necessary  and  sufficient 
conditions  for  security  in  each  setting,  by  exhibiting  protocols  which  are  secure  under 
these  conditions. 


1.1  Cryptography  and  Provable  Security 

The  rigorous  study  of  provably  secure  cryptography  was  initiated  by  Shannon  [58],  who 
introduced  an  information-theoretic  definition  of  security:  a  cryptosystem  is  secure  if 
an  adversary  who  sees  the  ciphertext  -  the  scrambled  message  sent  by  a  cryptosystem 
-  receives  no  additional  information  about  the  plaintext  -  the  unscrambled  content. 
Unfortunately,  Shannon  also  proved  that  any  cryptosystem  which  is  perfectly  secure 
requires  that  if  a  sender  wishes  to  transmit  N  bits  of  plaintext  data,  the  sender  and  the 
receiver  must  share  at  least  N  bits  of  random,  secret  data  -  the  key.  This  limitation 
means  that  only  parties  who  already  possess  secure  channels  (for  the  exchange  of 
secret  keys)  can  have  secure  communications. 

To  address  these  limitations,  researchers  introduced  a  theory  of  security  against 
computationally  limited  adversaries:  a  cryptosystem  is  computationally  secure  if  an 
adversary  who  sees  the  ciphertext  cannot  compute  (in,  e.g.  polynomial  time)  any 
additional  information  about  the  plaintext  than  he  could  without  the  ciphertext  [31]. 
Potentially,  a  cryptosystem  which  could  be  proven  secure  in  this  way  would  allow  two 
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parties  who  initially  share  a  very  small  number  of  secret  bits  (in  the  case  of  public- 
key  cryptography,  zero)  to  subsequently  transmit  an  essentially  unbounded  number 
of  message  bits  securely. 

Proving  that  a  system  is  secure  in  the  computational  sense  has  unfortunately 
proved  to  be  an  enormous  challenge:  doing  so  would  resolve,  in  the  negative,  the 
open  question  of  whether  P  =  NP.  Thus  the  cryptographic  theory  community  has 
borrowed  a  tool  from  complexity  theory:  reductions.  To  prove  a  cryptosystem  secure, 
one  starts  with  a  computational  problem  which  is  presumed  to  be  intractable,  and 
a  model  of  how  an  adversary  may  attack  a  cryptosystem,  and  proves  via  reduction 
that  computing  any  additional  information  from  a  ciphertext  is  equivalent  to  solving 
the  computational  problem.  Since  the  computational  problem  is  assumed  to  be  in¬ 
tractable,  a  computationally  limited  adversary  capable  of  breaking  the  cryptosystem 
would  be  a  contradiction  and  thus  should  not  exist.  In  general,  computationally  se¬ 
cure  cryptosystems  have  been  shown  to  exist  if  and  only  if  “one-way  functions,”  which 
are  easy  to  compute  but  computationally  hard  to  invert,  exist.  Furthermore,  it  has 
been  shown  that  the  difficulty  of  a  wide  number  of  well- investigated  number-theoretic 
problems  would  imply  the  existence  of  one-way  functions,  for  example  the  problem 
of  computing  the  factors  of  a  product  of  two  large  primes  [13],  or  computing  discrete 
logarithms  in  a  finite  field  [14]. 

Subsequent  to  these  breakthrough  ideas  [13,  31],  cryptographers  have  investigated 
a  wide  variety  of  different  ways  in  which  an  adversary  may  attack  a  cryptosystem. 
For  example,  he  may  be  allowed  to  make  up  a  plaintext  message  and  ask  to  see 
its  corresponding  ciphertext,  (called  a  chosen-plaintext  attack),  or  even  to  make  up 
a  ciphertext  and  ask  to  see  what  the  corresponding  plaintext  is  (called  a  chosen- 
ciphertext  attack  [48,52]).  Or  the  adversary  may  have  a  different  goal  entirely  [8, 
23,39]  -  for  example,  to  modify  a  ciphertext  so  that  if  it  previously  said  “Attack”  it 
now  reads  as  “Retreat”  and  vice-versa.  We  will  draw  on  this  practice  to  consider  the 
security  of  a  steganographic  protocol  under  several  different  kinds  of  attack. 

These  notions  will  be  explored  in  further  detail  in  Chapter  2. 
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1.2  Previous  work  on  theory  of  steganography 


The  scientific  study  of  steganography  in  the  open  literature  began  in  1983  when 
Simmons  [59]  stated  the  problem  in  terms  of  communication  in  a  prison.  In  his 
formulation,  two  inmates,  Alice  and  Bob,  are  trying  to  hatch  an  escape  plan.  The 
only  way  they  can  communicate  with  each  other  is  through  a  public  channel,  which  is 
carefully  monitored  by  the  warden  of  the  prison,  Ward.  If  Ward  detects  any  encrypted 
messages  or  codes,  he  will  throw  both  Alice  and  Bob  into  solitary  confinement.  The 
problem  of  steganography  is,  then:  how  can  Alice  and  Bob  cook  up  an  escape  plan 
by  communicating  over  the  public  channel  in  such  a  way  that  Ward  doesn’t  suspect 
anything  “unusual”  is  going  on. 

Anderson  and  Petitcolas  [6]  posed  many  of  the  open  problems  resolved  in  this 
thesis.  In  particular,  they  pointed  out  that  it  was  unclear  how  to  prove  the  security 
of  a  steganographic  protocol,  and  gave  an  example  which  is  similar  to  the  protocol 
we  present  in  Chapter  3.  They  also  asked  whether  it  would  be  possible  to  have 
steganography  without  a  secret  key,  which  we  address  in  Chapter  4.  Finally,  they 
point  out  that  while  it  is  easy  to  give  a  loose  upper  bound  on  the  rate  at  which 
hidden  bits  can  be  embedded  in  innocent  objects,  there  was  no  known  lower  bound. 

Since  the  paper  of  Anderson  and  Petitcolas,  several  works  [16, 44, 57, 66]  have 
addressed  information-theoretic  definitions  of  steganography.  Cachin’s  work  [16, 17] 
formulates  the  problem  as  that  of  designing  an  encoding  function  so  that  the  rela¬ 
tive  entropy  between  stegotexts ,  which  encode  hidden  information,  and  independent, 
identically  distributed  samples  from  some  innocent-looking  covertext  probability  dis¬ 
tribution,  is  small.  He  gives  a  construction  similar  to  one  we  describe  in  Chapter  3  but 
concludes  that  it  is  computationally  intractable;  and  another  construction  which  is 
provably  secure  but  relies  critically  on  the  assumption  that  all  orderings  of  covertexts 
are  equally  likely.  Cachin  also  points  out  several  flaws  in  other  published  information- 
theoretic  formulations  of  steganography. 

All  information-theoretic  formulations  of  steganography  are  severely  limited,  how¬ 
ever,  because  it  is  easy  to  show  that  information-theoretically  secure  steganography 
implies  information-theoretically  secure  encryption;  thus  any  secure  stegosystem  with 
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N  bits  of  secret  key  can  encode  at  most  N  hidden  bits.  In  addition,  techniques  such 
as  public-key  steganography  and  robust  steganography  are  information-theoretically 
impossible. 


1.3  Contributions  of  the  thesis 

The  primary  contribution  of  this  thesis  is  a  rigorous,  cryptographic  theory  of  steganog¬ 
raphy.  The  results  which  establish  this  theory  fall  under  several  categories:  symmetric- 
key  steganography,  public-key  steganography,  steganography  with  active  adversaries, 
steganographic  rate,  and  steganographic  computation.  Here  we  summarize  the  results 
in  each  category. 

Symmetric  Key  Steganography. 

A  symmetric  key  stegosystem  allows  two  parties  with  a  shared  secret  to  send  hidden 
messages  undetectably  over  a  public  channel.  We  give  cryptographic  definitions  for 
symmetric-key  stegosystems  and  steganographic  secrecy  against  a  passive  adversary 
in  terms  of  indistinguishability  from  a  probabilistic  channel  process.  By  giving  a 
construction  which  provably  satisfies  these  definitions,  we  show  that  the  existence 
of  a  one-way  function  is  sufficient  for  the  existence  of  secure  steganography  relative 
to  any  channel.  We  also  show  that  this  condition  is  necessary  by  demonstrating  a 
construction  of  a  one-way  function  from  any  secure  stegosystem. 

Public-Key  Steganography 

Informally,  a  public-key  steganography  protocol  allows  two  parties,  who  have  never 
met  or  exchanged  a  secret,  to  send  hidden  messages  over  a  public  channel  so  that 
an  adversary  cannot  even  detect  that  these  hidden  messages  are  being  sent.  Un¬ 
like  previous  settings  in  which  provable  security  has  been  applied  to  steganography, 
public-key  steganography  is  information-theoretically  impossible.  We  introduce  com¬ 
putational  security  conditions  for  public-key  steganography  similar  to  those  for  the 
symmetric-key  setting,  and  give  the  first  protocols  for  public-key  steganography  and 
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steganographic  key  exchange  that  are  provably  secure  under  standard  cryptographic 
assumptions. 

Steganography  with  active  adversaries 

We  consider  the  security  of  a  stegosystem  against  an  adversary  who  actively  attempts 
to  subvert  its  operation  by  introducing  new  messages  to  the  communication  between 
Alice  and  Bob.  We  consider  two  classes  of  such  adversaries:  disrupting  adversaries 
and  distinguishing  adversaries.  Disrupting  adversaries  attempt  to  prevent  Alice  and 
Bob  from  communicating  steganographically,  subject  to  some  set  of  publicly-known 
restrictions;  we  give  a  formal  definition  of  robustness  against  such  an  attack  and 
give  the  first  construction  of  a  provably  robust  stegosystem.  Distinguishing  adver¬ 
saries  introduce  additional  traffic  between  Alice  and  Bob  in  hopes  of  tricking  them 
into  revealing  their  use  of  steganography;  we  consider  the  security  of  symmetric-  and 
public-key  stegosystems  against  active  distinguishers  and  give  constructions  which 
are  secure  against  such  adversaries.  We  also  show  that  no  stegosystem  can  be  simul¬ 
taneously  secure  against  both  disrupting  and  distinguishing  active  adversaries. 

Bounds  on  steganographic  rate 

The  rate  of  a  stegosystem  is  defined  by  the  (expected)  ratio  of  hiddentext  size  to 
stegotext  size.  Prior  to  this  work  there  was  no  known  lower  bound  on  the  achievable 
rate  (since  there  were  no  provably  secure  stegosystems),  and  only  a  trivial  upper 
bound.  We  give  an  upper-bound  MAX  in  terms  of  the  number  of  samples  from  a 
probabilistic  channel  oracle  and  the  minimum-entropy  of  the  channel,  and  show  that 
this  upper  bound  is  tight  by  giving  a  provably  secure  symmetric-key  stegosystem  with 
rate  (1  —  o(l))MAX.  We  also  give  an  upper  bound  RMAX  on  the  rate  achievable  by 
a  robust  stegosystem  and  exhibit  a  construction  of  a  robust  stegosystem  with  rate 
(1  —  e)RMAX  for  any  e  >  0. 
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Covert  Computation 


We  introduce  the  novel  concept  of  covert  two-party  computation.  Whereas  ordinary 
secure  two-party  computation  only  guarantees  that  no  more  knowledge  is  leaked  about 
the  inputs  of  the  individual  parties  than  the  result  of  the  computation,  covert  two- 
party  computation  employs  steganography  to  yield  the  following  additional  guaran¬ 
tees:  (A)  no  outside  eavesdropper  can  determine  whether  the  two  parties  are  per¬ 
forming  the  computation  or  simply  communicating  as  they  normally  do;  (B)  before 
learning  f(xA,xs),  neither  party  can  tell  whether  the  other  is  running  the  proto¬ 
col;  (C)  after  the  protocol  concludes,  each  party  can  only  determine  if  the  other  ran 
the  protocol  insofar  as  they  can  distinguish  /( xa,%b )  from  uniformly  chosen  random 
bits.  Covert  two-party  computation  thus  allows  the  construction  of  protocols  that 
return  /( xa,%b )  only  when  it  equals  a  certain  value  of  interest  (such  as  “Yes,  we 
are  romantically  interested  in  each  other” )  but  for  which  neither  party  can  determine 
whether  the  other  even  ran  the  protocol  whenever  /( xa,%b )  does  not  equal  the  value 
of  interest.  We  introduce  security  definitions  for  covert  two-party  computation  and 
we  construct  protocols  with  provable  security  based  on  the  Decisional  Diffie-Hcllman 
assumption. 

A  steganographic  design  methodology 

At  a  higher  level,  the  technical  contributions  of  this  thesis  suggest  a  powerful  design 
methodology  for  steganographic  security  goals.  This  methodology  stems  from  the 
observation  that  the  uniform  channel  is  universal  for  steganography:  we  give  a  trans¬ 
formation  from  an  arbitrary  protocol  which  produces  messages  indistinguishable  from 
uniform  random  bits  (given  an  adversary’s  view)  into  a  protocol  which  produces  mes¬ 
sages  indistinguishable  from  an  arbitrary  channel  distribution  (given  the  adversary’s 
view).  Thus,  in  order  to  hide  information  from  an  adversary  in  a  given  channel,  it  is 
sufficient  to  design  a  protocol  which  hides  the  information  among  pseudorandom  bits 
and  apply  our  transformation.  Examples  of  this  methodology  appear  in  Chapters  3, 
4,  5,  and  7;  and  the  explicit  transformation  for  a  general  task  along  with  a  proof  of 
its  security  is  given  in  chapter  7,  Theorem  7.5. 
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1.4  Roadmap  of  the  thesis 


Chapter  2  establishes  the  results  and  notation  we  will  use  from  cryptography,  and 
describes  our  model  of  innocent  communication.  Chapter  3  discusses  our  results  on 
symmetric-key  steganography  and  relics  heavily  on  the  material  in  Chapter  2.  Chap¬ 
ter  4  discusses  our  results  on  public-key  steganography,  and  can  be  read  independently 
of  chapter  3.  Chapter  5  considers  active  attacks  against  stegosystems;  section  5.1  de¬ 
pends  on  material  in  Chapters  2  and  3,  while  the  remaining  sections  also  require  some 
familiarity  with  the  material  in  Chapter  4.  Chapter  6  discusses  the  rate  of  a  stegosys- 
tem,  and  depends  on  materials  in  Chapter  3,  while  the  final  section  also  requires 
material  from  section  5.1.  Finally,  in  Chapter  7  we  extend  steganography  from  the 
concept  of  hidden  communication  to  hidden  computation.  Chapter  7  depends  only 
on  the  material  in  chapter  2.  Finally,  in  Chapter  8  we  suggest  directions  for  future 
research. 


Chapter  2 


Model  and  Definitions 


In  this  chapter  we  will  introduce  the  notation  and  concepts  from  cryptography  and 
information  theory  that  our  results  will  use.  The  reader  interested  in  a  more  general 
treatment  of  the  relationships  between  the  various  notions  presented  here  is  referred 
to  the  works  of  Goldreich  [25]  and  Goldwasser  and  Bellare  [30]. 


2.1  Notation 

We  will  model  all  parties  by  Probabilistic  Turing  Machines  (PTMs).  A  PTM  is  a 
standard  Turing  machine  with  an  additional  read-only  “randomness”  tape  that  is 
initially  set  so  that  every  cell  is  a  uniformly,  independently  chosen  bit.  If  A  is  a 
PTM,  we  will  denote  by  x  <—  A(y)  the  event  that  x  is  drawn  from  the  probability 
distribution  defined  by  A’s  output  on  input  y  for  a  uniformly  chosen  random  tape. 
We  will  write  Ar(y)  to  denote  the  output  of  A  with  random  tape  fixed  to  r  on  input 

y- 

We  will  often  make  use  of  Oracle  PTMs  (OPTM).  An  OPTM  is  a  PTM  with  two 
additional  tapes:  a  “query”  tape  and  a  “response”  tape;  and  two  corresponding  states 
Q query ;  ^response-  An  OPTM  runs  with  respect  to  some  oracle  O,  and  when  it  enters 
state  Q query  with  value  y  on  its  query  tape,  it  goes  in  one  step  to  state  (^response,  with 
x  < —  0{jj)  written  to  its  “response”  tape.  If  O  is  a  probabilistic  oracle,  then  A°(y)  is 
a  probability  distribution  on  outputs  taken  over  both  the  random  tape  of  A  and  the 
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probability  distribution  on  O’s  responses. 

We  denote  the  length  of  a  string  or  sequence  s  by  |s|.  We  denote  the  empty  string 
or  sequence  by  e.  The  concatenation  of  string  si  and  string  s2  will  be  denoted  by 
si||s2,  and  when  we  write  “Parse  s  as  -si ||*1S2 1|*2  •  •  •  we  mean  to  separate  s  into 

strings  si, . . .  57  where  each  |sj|  =  tn  and  s  =  || s2 1|  •  •  •  || si.  We  will  assume  the  use  of 

efficient  and  unambiguous  pairing  and  impairing  operators  on  strings,  so  that  (si,s2) 
may  be  uniquely  interpreted  as  the  pairing  of  si  with  s2,  and  is  not  the  same  as  si||s2. 
One  example  of  such  an  operation  is  to  encode  (si,s2)  by  a  prefix- free  encoding  of 
|si|,  followed  by  si,  followed  by  a  prefix-free  encoding  of  |s2|  and  then  s2.  Unpairing 
then  reads  |si|,  reads  that  many  bits  from  the  input  into  si,  and  repeats  the  process 
for  s2. 

We  will  let  Uk  denote  the  uniform  distribution  on  {0,  l}fc.  If  X  is  a  finite  set,  we 
will  denote  by  x  <—  X  the  action  of  uniformly  choosing  x  from  X.  We  denote  by 
U(L,l)  the  uniform  distribution  on  functions  /  :  {0, 1}L  — >  {0,  l}h  For  a  probability 
distribution  D,  we  denote  the  support  of  D  by  [D],  For  an  integer  n,  we  let  [n]  denote 
the  set  {1,  2, . . .  ,  n}. 

2.2  Cryptography  and  Provable  Security 

Modern  cryptography  makes  use  of  reductions  to  prove  the  security  of  protocols;  that 
is,  to  show  that  a  protocol  P  is  secure,  we  show  how  an  attacker  violating  the  security 
of  P  can  be  used  to  solve  a  problem  Q  which  is  believed  to  be  intractable.  Since 
solving  Q  is  believed  to  be  intractable,  it  then  follows  that  violating  the  security  of  P 
is  also  intractable.  In  this  section,  we  will  give  examples  from  the  theory  of  symmetric 
cryptography  to  illustrate  this  approach,  and  introduce  the  notation  to  be  used  in 
the  rest  of  the  dissertation. 

2.2.1  Computational  Indistinguishability 

Let  X  =  {A"fc}fcgN  and  y  =  {lfc}fcgN  denote  two  sequences  of  probability  distributions 
such  that  [Xfc]  =  [W]  for  all  k.  Many  cryptographic  questions  address  the  issue  of 
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distinguishing  between  samples  from  X  and  samples  from  y.  For  example,  the  dis¬ 
tribution  X  could  denote  the  possible  encryptions  of  the  message  “Attack  at  Dawn” 
while  y  denotes  the  possible  encryptions  of  “Retreat  at  Dawn;”  a  cryptanalyst  would 
like  to  distinguish  between  these  distributions  as  accurately  as  possible,  while  a  cryp¬ 
tographer  would  like  to  show  that  they  are  hard  to  tell  apart.  To  address  this  concept, 
cryptographers  have  developed  several  notions  of  indistinguishability.  The  simplest 
is  the  statistical  distance: 

Definition  2.1.  (Statistical  Distance)  Define  the  statistical  distance  between  X  and 

y  by 

A k(Xiy)=l-  ^  \Vr{Xk  =  x\-Pr[Yk  =  x}\  . 

xe[xk] 

If  A (X,Y)  is  small,  it  will  be  difficult  to  distinguish  between  X  and  1”,  because 
most  outcomes  occur  with  similar  probability  under  both  distributions. 

On  the  other  hand,  it  could  be  the  case  that  A  (A,  Y)  is  large  but  X  and  Y  are 
still  difficult  to  distinguish  by  some  methods.  For  example,  if  Xk  is  the  distribution 
on  k- bit  even-parity  strings  starting  with  0  and  Yk  is  the  distribution  on  /c-bit  even- 
parity  strings  starting  with  1,  then  an  algorithm  which  attempts  to  distinguish  X  and 
Y  based  on  the  parity  of  its  input  will  fail,  even  though  A (X,Y)  =  1.  To  address 
this  situation,  we  define  the  advantage  of  a  program: 

Definition  2.2.  (Advantage)  We  will  denote  the  advantage  of  a  program  A  in  dis¬ 
tinguishing  X  and  y  by 

Ad wxAy{k)  =  I  Pr[A(Xfc)  =  1]  -  Pr[A(W)  =  1]  |  . 


Thus  in  the  previous  example,  for  any  program  A  that  considers  only  JA  s,  mod  2, 
it  will  be  the  case  that  Adv^’^/c)  =  0. 

While  the  class  of  adversaries  who  consider  only  the  parity  of  a  string  is  not  very 
interesting,  we  may  consider  more  interesting  classes:  for  example,  the  class  of  all 
adversaries  with  running  time  bounded  by  t{k). 


Definition  2.3.  (Insecurity)  We  denote  the  insecurity  of  X,  Y  by 

max  <  j 

A&TIME(t(k))  l 


InSec^.  y(t,  k)  =  max  jAdv^^ 
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and  we  say  that  and  Y\.  are  (t,  e)  indistinguishable  if  InSec^  y(t,  k )  <  e. 

If  we  are  interested  in  the  case  that  t(k )  is  bounded  by  some  polynomial  in  k,  then 
we  say  that  X  and  y  are  computationally  indistinguishable,  written  X  k*  y,  if  for 
every  A  e  TIME(poly(k)),  there  is  a  negligible  function  v  such  that  Adv^’^/c)  < 
u{k).  (A  function  v  :  N  — >  (0, 1)  is  said  to  be  negligible  if  for  every  c  >  0,  for  all 
sufficiently  large  n,  v(n)  <  l/nc.) 

We  will  make  use,  several  times,  of  the  following  (well-known)  facts  about  statis¬ 
tical  and  computational  distance: 

Proposition  2.4.  Let  A (X,Y)  =  e.  Then  for  any  probabilistic  program  A, 

A  (A(X),A(Y))<e. 


Proof. 

A(A(X),A(Y))  =  I^|PrPm  =  x]  - Pr[.4(y)  =  x]| 

X 

=  \  E  2"1'1  E  (PrIV(A')  =  x]  -  Pr[A(Y)  =  *]) 

x  r 

4rHEE  |Pr[Ar(A)  =x]~  Pr[Ar(E)  =  x]| 

r  x 

<  \  max  V  |Pr[Ar(A)  =  x]  —  ~P?[Ar(Y)  =  x]| 

2  r  ^ J 

x 

<  ^  max  Y  Y  lPrtX  =  y\~  Pr[F  =  y]  I 

x  y&A~\x) 

<  A (X,Y)  . 

□ 

Proposition  2.5.  For  any  t,  InSec XY{t,k)  <  A (X,Y) 
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Proof.  Let  A  G  TIMEft)  be  any  program  with  range  {0, 1}.  Then  we  have  that 

Advy,y  (A;)  =  |  Pr[A(X)  =  1]  -  Pr[A(Y)  =  1] | 

=  |(1  -  Pr [A(X)  =  0])  -  (1  -  Pr [A(Y)  =  0])| 

=  |  Pr[A(X)  =  0]  -  Pr[A(Y)  =  0]| 

=  ^(|  Pr[A(X)  =  0]  -  Pr[A(Y)  =  0]|  +  |  Pr[A(X)  =  1]  -  Pr[A(Y)  =  1]|) 
=  A(A(X),A(Y))  . 


And  thus,  by  the  previous  proposition,  Adv^’5  (k)  <  A (X,Y).  Since  this  holds  for 
every  A,  we  then  have  that 


InSecx  y(t,  k ) 


Ae^W{AdV^(fc)/^A(X’^ 


□ 

Proposition  2.6.  For  any  m  G  N,  InSec Ym  ym(t,  k)  <  mInSecXy(t+  (m  —  1)T,  k), 
where  T  =  max{Time  to  sample  from  X,  Time  to  sample  from  Y}. 


Proof.  The  proof  uses  a  “hybrid”  argument.  Consider  any  A  G  TIAdE^t)]  we  wish 
to  bound  Advy  ,y  (. k ).  To  do  so,  we  define  a  sequence  of  hybrid  distributions 
Z0, .. .  ,Zm,  where  Z0  =  Xm,  Zm  =  Ym,  and  Zt  =  (Y\Xm~l).  We  will  consider  the 
“experiment”  of  using  A  to  distinguish  Z{  from  Zi+\- 

Notice  that  starting  from  the  definition  of  advantage,  we  have: 

AdvJm’ym(A;)  =  |  Pr [A(Xm)  =  1]  -  Pr[A(Ym)  =  1]| 

=  |  Pt[A(Zq)  =  1]  —  Pr[A(Zm)  =  1]| 

=  |(Pr[A(Z0)  =  1]  -  Pr[A(Z1)  =  1])  +  (Pr^)  =  1]  -  Pr [A(Z2)  =  1]) 
+  •  •  •  +  (Pr [A(Zm)  =  1]  -  Pr [A(Zm_0  =  1])| 

m 

<  ^  I  P r[A(Zt)  =  1]  -  Pr[A(Zj_i)  =  1]| 

i=  1 
m 

=  XAd  vp"z,w 

i— 1 

Now  notice  that  for  each  i,  there  is  a  program  B{  which  distinguishes  X  from  Y  with 
the  same  advantage  as  A  has  in  distinguishing  Zt_\  from  Z%\  on  input  S,  Bi  draws 
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i  —  1  samples  from  Y,  m  —  i  samples  from  X,  and  runs  A  with  input  (Yl~l ,  S, 

If  S  <—  X ,  then  Pr[£?j(S')  =  1]  =  Pr[A(Z,_i)  =  1],  because  the  first  i  —  1  samples  in 
A’s  input  will  be  from  Y,  and  the  remaining  samples  will  be  from  X.  On  the  other 
hand,  if  S  Y,  then  Pr[.Bj(,S')  =  1]  =  Pr [A(Z.j)  =  1],  because  the  first  i  samples  in 
A’s  input  will  be  from  Y.  So  we  have: 

Ad =  |  Pr[^(X)  =  1]  -  Pr [B^Y)  =  1]| 

=  \Pi[A(Zi__1)  =  l]-Pi[A(Zi)  =  l]\ 

=  Ad v%-uZi(k)  . 


And  therefore  we  can  bound  A’s  advantage  in  distinguishing  Xm,Ym  by 

m 

Ad 

i— 1 

Now  since  Bi  takes  as  long  as  A  to  run  (plus  time  at  most  (m  —  1)T  to  draw  the 
additional  samples  from  X,Y),  it  follows  that 

Adv^’5  (k)  <  InSecx  y(t  +  (m  —  1  )T,  k )  , 

so  we  can  conclude  that 

Adv^  ,y  (k)  <  mInSec_Y  y(t  +  (m  —  1  )T,  k )  . 

Since  the  theorem  holds  for  any  A  G  TIME(t ),  we  have  that 

InSeC^m  ym  (t,  k)  <  ^  max^^  ^  |  AdvJ  (A:)|  <  mInSec_Y  y(t  +  (m  —  1  )T,  k )  , 

as  claimed.  □ 

The  style  of  proof  we  have  used  for  this  proposition,  in  which  we  attempt  to  state 
as  tightly  as  possible  the  relationship  between  the  “security”  of  two  related  problems 
without  reference  to  asymptotic  analysis,  is  referred  to  in  the  literature  as  concrete 
security  analysis.  In  this  dissertation,  we  will  give  concrete  security  results  except  in 
Chapter  8,  in  which  the  concrete  analysis  would  be  too  cumbersome. 
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2.2.2  Universal  Hash  Functions 


A  Universal  Hash  Family  is  a  family  of  functions  H  :  {0, 1}Z  x  {0,  l}m  — >  {0,  l}n 
where  m  >  n,  such  that  for  any  x\  ^  x2  G  {0,  l}m  and  yi,y2  €  {0,  l}n, 

Pr  [H(Z,Xl)  =  Vl  A  H{Z,x2)  =  y2]  =  2”2n  . 

Z^Ui 

Universal  hash  functions  are  easy  to  construct  for  any  m,  n  with  l  =  2m,  by  consid¬ 
ering  functions  of  the  form  ha,b(x)  =  ax  +  b,  over  the  held  GF( 2m),  with  truncation 
to  the  least  significant  n  bits.  It  is  easy  to  see  that  such  a  family  is  universal,  because 
truncation  is  regular,  and  the  full-rank  system  ax i  +  b  =  y i,  ax 2  +  b  —  y2  has  exactly 
one  solution  over  GF( 2m),  which  is  selected  with  probability  2~2m.  We  will  make  use 
of  universal  hash  functions  to  convert  distributions  with  large  minimum  entropy  into 
distributions  which  are  indistinguishable  from  uniform. 


Definition  2.7.  (Entropy)  Let  T>  be  a  distribution  with  finite  support  X.  Define  the 
minimum  entropy  of  D,  iL00('D),  as 

H oJF)  =  min  I  log2  — ^ 
xgx  (  Pr-pix 

Define  the  Shannon  entropy  of  V,  HS(F>)  by 


HS(V)=  E  ~  log2  Pr[x 


-V  L 


V 


Lemma  2.8.  (Leftover  Hash  Lemma,  [33])  Let  FI  :  {0,  l}1  x  {0,  l}m 
universal  hash  family,  and  let  X  :  {0,  l}m  satisfy  iL00( A")  >  k.  Then 


{0, l}n  be  a 


A ((Z,H(Z,X)),(Z,Un))  <  2_(fc_nP2+1 


As  a  convention,  we  will  sometimes  refer  to  H  as  a  family  of  functions  and  identify 
elements  of  H  by  their  index,  e.g.,  when  we  say  h  G  H,  then  h(x)  refers  to  H(h,x). 

2.2.3  Pseudorandom  Generators 

Let  G  =  {Gk  ■  {0,  l}fc  — >  {0,  l}z^fc')}fcgN  denote  a  sequence  of  functions,  with  l{k)  >  k. 
Then  G  is  a  pseudorandom  generator  (PRG)  if  G(Uk )  ~  Upk).  More  formally,  define 
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the  PRG-advantage  of  A  against  G  by: 

Ad vp;%(k)  =  |Pr [A(G(Uk))  =  1]  -Pr[A(Um)  =  1]| 

And  the  PRG-Insecnrity  of  G  by 

InSecFg(f,  k)  =  max  {  Adv^r-fA;)}  . 

G  v  '  A£TiME(t(k))  1  A,GV  n 

Then  G^  is  a  (f,e)-secure  PRG  if  InSec[lrg(f,  k)  <  e,  and  G  is  a  PRG  if  for  every 
A  e  TIMEfpolyik)),  there  is  a  negligible  p  such  that  Adv^(A;)  <  p{k). 

Pseudorandom  generators  can  be  seen  as  the  basic  primitive  on  which  symmetric 
cryptography  is  built.  If  G  is  a  (f,  e)-PRG,  then  G(Uf. )  can  be  used  in  place  of  Upk)  for 
any  application,  and  the  loss  in  security  against  TIME(t )  adversaries  will  be  at  most 
e.  It  was  shown  by  Hastad  et  al  [33]  that  asymptotically,  PRGs  exist  if  and  only  if 
one-way  functions  (OWFs)  exist;  thus  when  we  say  that  the  existence  of  a  primitive  is 
equivalent  to  the  existence  of  one-way  functions,  we  may  show  it  by  giving  reductions 
to  and  from  PRGs. 


2.2.4  Pseudorandom  Functions 

Let  F  :  {0, l}fc  x  {0, 1}L  — »■  {0, 1}Z  denote  a  family  of  functions.  Informally,  F  is  a 
pseudorandom  function  family  (PRF)  if  F  and  U(L ,  /)  are  indistinguishable  by  oracle 
queries.  Formally,  let  A  be  an  oracle  probabilistic  adversary.  Define  the  prf- advantage 
of  A  over  F  as 

Ad^«  =  UvpF'HF>  = « -  «  - 

Define  the  insecurity  of  F  as 

InSec pff(t,q,k)  =  ^max  | Advp4rfF(A:)  j 

where  Aft,  q )  denotes  the  set  of  adversaries  taking  at  most  t  steps  and  making  at  most 
q  oracle  queries.  Then  F^  is  a  (t,  q,  e)  -pseudorandom  function  if  InSecFf(t,  q,  k )  <  e. 
Suppose  that  l[k)  and  L{k)  are  polynomials.  A  sequence  {Ffc}fcgN  of  families  Ff.  : 
{o, i}fc  x  {0, 1}L^  — >  {0,  l}^  is  called  pseudorandom,  if  for  all  polynomially  bounded 
adversaries  A,  AdvprfF(/c)  is  negligible  in  k.  We  will  sometimes  write  Fk(K,  •)  as  Fk(-)- 

We  will  make  use  of  the  following  results  relating  PRFs  and  PRGs. 
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Proposition  2.9.  Let  Fk  :  {0,  l}k  x  {0,  l}L(-k)  |q,  1}AD  be  a  PRF.  Let  q  =  Tf^yl- 

Define  Gk  :  {0,  l}k  {0,  l}fc+1  by  G(X)  =  FA-(0)||FY(1)||  ■  ■  ■  \\Fx(q  -  1).  Then 

InSec^g(t,  k)  <  InSec£rf(f  +  q,  q,  k ) 

Proof.  Consider  an  arbitrary  PRG  adversary  A.  We  will  construct  a  PRF  adversary 
B  with  the  same  advantage  against  F  as  A  has  against  G.  B  has  oracle  access  to  a 
function  f.  B  makes  q  queries  to  /,  constructing  the  string  s  =  /(0)||  •  ■  •  ||  f(q  —  1), 
and  then  returns  the  output  of  A  on  s.  If  /  is  a  uniformly  chosen  function,  the  string 
s  is  uniformly  chosen;  thus 

Pr[Bf(lk)  =  l}=Pr[A(Uk+1)  =  l]  . 

If  /  is  an  element  of  F,  then  the  string  s  is  chosen  exactly  from  G{Uk).  In  this  case, 
we  have 

Pi[BFk (lk)  =  1]  =  Pr[A(G(Uk))  =  1]  . 

Combining  the  cases  gives  us 

Adv£fF(A;)  =  \Pr[BFK(lk)  =  1]  -  Pr[Bf  (lk)  =  1]| 

=  \Pv[A(G(Uk))  =  1]  -  Pr[A(Uk+1)  =  1]| 

=  AdVA%(k) 

Since  B  runs  in  the  same  time  as  A  plus  the  time  to  make  q  oracle  queries,  we  have 
by  definition  of  insecurity  that 

Ad v^rfF(/c)  <  InSec^rf(f  +  q,  q,  k )  , 

and  thus,  for  every  A,  we  have 

Ad\rpfgG(k)  <  InSec^rf(t  +  q,  q,  k )  , 

which  yields  the  stated  theorem.  □ 

Intuitively,  this  proposition  states  that  a  pseudorandom  function  can  be  used  to  con¬ 
struct  a  pseudorandom  generator.  This  is  because  if  we  believe  that  F  is  pseudoran¬ 
dom,  we  must  believe  that  InSec^rf(f ,  q,  k )  is  small,  and  therefore  that  the  insecurity 
of  the  construction  G,  InSec^rg(/c)  is  also  small. 
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Proposition  2.10.  ([27],  Theorem  3)  There  exists  a  function  family  TG  :  {0,  l}fc  x 
{0,  l}k  — ■»  {0,  l}fc  such  that 

InSec^c(t,  q,  k)  <  g/dnSec^rg(t  +  qkTIME(G),  k)  . 

2.2.5  Encryption 

A  symmetric  cryptosystem  £  consists  of  three  (randomized)  algorithms: 

•  £. Generate  :  lk  — »  {0,  l}fc  generates  shared  keys  G  {0,  l}fc.  We  will  abbreviate 
£.Generate(lfc)  by  G(lfc),  when  it  is  clear  which  encryption  scheme  is  meant. 

•  £. Encrypt  :  {0,  l}fc  x  {0, 1}*  — >  {0, 1}*  uses  a  key  to  transform  a  plaintext  into 
a  ciphertext.  We  will  abbreviate  £.Encrypt(/l,  •)  by  EK(-). 

•  £. Decrypt  :  {0,  l}fc  x  {0, 1}*  — >  {0, 1}*  uses  a  key  to  transform  a  ciphertext  into 
the  corresponding  plaintext.  We  will  abbreviate  £. De crypt (K,  •)  by  £)#(•). 

Such  that  for  all  keys  K,  £.  De  crypt  (K,  £.  Encrypt  (K,  m))  =  m.  Informally,  we  will 
say  that  a  cryptosystem  is  secure  if,  after  viewing  encryptions  of  plaintexts  of  its 
choosing,  an  adversary  cannot  distinguish  ciphertexts  from  uniform  random  strings. 
This  is  slightly  different  from  the  more  standard  notion  in  which  it  is  assumed  that 
encryptions  of  distinct  plaintexts  are  indistinguishable. 

To  formally  define  the  security  condition  for  a  cryptosystem,  consider  a  game  in 
which  an  adversary  A  is  given  access  to  an  oracle  O  which  is  either: 

•  Ex  for  K  <—  G( lfc);  that  is,  an  oracle  which  given  a  message  m,  returns  a 
sample  from  EK(m)]  or 

•  $(•);  that  is,  an  oracle  which  on  query  m  ignores  its  input  and  returns  a  uniformly 
selected  string  of  length  \EK(m)\. 

Let  A(t,  q,  l )  be  the  set  of  adversaries  A  which  make  q{k)  queries  to  the  oracle  of 
at  most  l(k)  bits  and  run  for  t{k)  time  steps.  Define  the  CPA  advantage  of  A  against 
£  as 
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Ad vXs(k)  =  \Pr[AEK(lk)  =  1]  -  Pr[A$(lfc)  =  1]  | 

where  the  probabilities  are  taken  over  the  oracle  draws  and  the  randomness  of  A. 
Define  the  insecurity  of  E  as 

InSec  £Pa(t,  q,l,k)  =  max  { Adv^(fc) }  . 

A.  £  «/4.  ( t ,  (j  ,  l ) 

Then  £  is  (t,  q,  l,  k,  e)  -indistinguishable  from  random  bits  under  chosen  plaintext  attack 
if  InSec^pa(f,  q,  l,  k)  <  e.  £  is  called  (computationally)  indistinguishable  from  random 
bits  under  chosen  plaintext  attack  (INDS-CPA)  if  for  every  PPTM  A,  Adv^(fc)  is 
negligible  in  k. 

It  was  shown  by  [33]  that  the  existence  of  secure  symmetric  cryptosystems  is 
equivalent  to  the  existence  of  OWFs. 

Proposition  2.11.  ([36],  Theorem  4.3)  Let  £  be  a  symmetric  cryptosystem.  Then 
there  is  a  generator  G£  such  that  G  is  a  PRG  if  £  is  INDS-CPA. 

Proposition  2.12.  Let  F  :  {0,  l}fc  x  {0,  l}k  — >  {0, 1}  be  a  function  family.  Define 
the  cryptosystem  £F  as  follows: 

.  G(lfc)  <-  Uk. 

•  EK(n 7,i  •  •  •  mi)  =  c  <—  Uk\\FK(c  +  1)  ©  mi||  •  •  •  \\FK(c  +  /)  ©  mt. 

•  Dk(c\\xi  ■  ■  -xi)  =  FK(c  +  1)  ©  xi||  ■  ■  •  || Fk(c  +  l)  ©  xi. 


Then 

InSec^  (t,  q,  l,  k )  <  InSec^rf(f  +  21,  l,  k )  +  ^|— j-  . 

Proof.  Let  A  be  a  chosen- plaintext  attacker  for  £.  We  will  construct  a  PRF  attacker 
for  F  which  has  advantage  at  least 

AdvBfF(/e)  >  Advc4pa£(h)  -  ^  . 

B  will  run  in  time  t  +  21  and  make  /  queries  to  its  function  oracle,  so  that 

Ad v^rfF(/c)  <  InSecpif(t  +  21,  l,  k )  , 
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which  will  yield  the  result. 

B's  strategy  is  to  play  the  part  of  the  encryption  oracle  in  A’s  chosen-plaintext 
attack  game.  Thus,  B  will  run  A,  and  whenever  A  makes  an  encryption  query,  B 
will  produce  a  response  using  its  function  oracle,  which  it  will  pass  back  to  A.  At  the 
conclusion  of  the  chosen-plaintext  game,  A  produces  an  output  bit,  which  B  will  use 
for  its  output.  It  remains  to  describe  how  B  will  respond  to  A’s  encryption  queries.  B 
will  do  so  by  executing  the  encryption  program  Ek  from  above,  but  using  its  function 
oracle  in  place  of  Fk-  Thus,  on  a  query  m\  ■  ■  ■  mi ,  B?  will  choose  ac<-  C4,  and  give 
A  the  response  c||/(c  +  1)  ©  m\\\  ■  ■  ■  \\f(c  +  /)  ©  m/. 

Let  us  bound  the  advantage  of  B.  In  case  PCs  oracle  is  chosen  from  Fk,  B  will 
perfectly  simulate  an  encryption  oracle  to  A.  Thus 

Pt[BFk  (lk)  =  1]  =  Pv[AEK(lk)  =  1]  . 

Now  suppose  that  PC s  oracle  is  a  uniformly  chosen  function,  and  let  NC  denote  the 
event  that  B  does  not  query  its  oracle  more  than  once  on  any  input,  and  let  C  denote 
the  complement  of  NC  -  that  is,  the  event  that  B  queries  its  oracle  at  least  twice  on 
at  least  one  input.  Conditioned  on  NC,  every  bit  that  B  returns  to  A  is  uniformly 
chosen,  for  a  uniform  choice  of  /,  subject  to  the  condition  that  none  of  the  leading 
values  overlap,  an  event  we  will  denote  by  N$,  and  which  has  identical  probability  to 
NC.  In  this  case  B  perfectly  simulates  a  random-bit  oracle  to  A,  giving  us 

Pr[S/(lfc)|NC]  =  Pr[A$(lfc)  =  1|N$]  . 

By  conditioning  on  NC  and  C,  we  find  that 

Adv%fF(k)  =  Pr[BFK(lk)  =  1]  -  Pr [Bf  ( lk )  =  1] 

=  Pi[AEk (lfc)  =  1]  -  (Pr[fi/(lfc)  =  1 1 NC]  Pr[NC] 

+  Pr[Bf(lk)  =  1|C]  Pr[C]) 

>  Pr[AEk(lk)  =  1]  -  Pr[A$(lfc)  =  1  A  N$]  —  Pr[C] 

>  Pr[AEk(lk)  =  1]  -  Pr[A$(lfc)  =  1]  -  Pr[C] 

=  Adv2J(*)  -  Pr[C]  , 

where  we  assume  without  loss  of  generality  that  Pi[AEk (lfc)  =  1]  >  Pr[A$(lfc)  =  1], 
To  finish  the  proof,  we  need  only  to  bound  Pr[C]. 
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To  bound  the  probability  of  the  event  C.  let  us  further  subdivide  this  event.  During 
the  attack  game,  A  will  make  q  queries  that  B  must  answer,  so  that  B  chooses  q  k-hit 
values  ci, . . .  ,cq  to  encrypt  messages  of  length  h, . . .  ,lq,  Let  us  denote  by  NQ  the 
event  that  after  the  ith  encryption  query  made  by  A,  B  has  not  made  any  duplicate 
queries  to  its  function  oracle  /;  and  let  Q  denote  the  complement  of  NQ.  We  will 
show  that 

Pr[C,|NQ_i]  <  _ 

and  therefore  we  will  have 


Pr[C]  =  Pr[Cq] 

<  Pr[Cq|NCg_i]  +  Pr[Q_i] 

g 

<  ^Pr[Q|NQ_!] 

i= 1 

i= 1  V  j<i  / 

_  2 ql 

~  ~2F 

Which  establishes  the  desired  bound,  given  the  bound  on  Pr[Q|NQ_i],  To  establish 
this  conditional  bound,  fix  any  choice  of  the  values  ci, . . .  ,  Cj_i.  The  value  c*  will 
cause  a  duplicate  input  to  /  if  there  is  some  Cj  such  that  Cj  —  k  <  Ci  <  Cj  +  lj,  which 
happens  with  probability  (/*  +  lj)/2k,  since  c*  is  chosen  uniformly.  Thus  by  the  union 
bound,  we  have  that 

Pr[Q|NQ_!]  <2~kYJ{k  +  lj) 

j<i 

and  rearranging  gives  the  stated  bound: 

Pr[Q|NQ_!]  <2 -k(Ui  +  J2lj)  • 
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2.3  Modeling  Communication  -  Channels 


We  seek  to  define  steganography  in  terms  of  indistinguishability  from  a  “usual”  or 
innocent-looking  pattern  of  communication.  In  order  to  do  so,  we  must  characterize 
this  pattern.  We  begin  by  supposing  that  Alice  and  Bob  communicate  via  documents: 

Definition  2.13.  (Documents)  Let  D  be  an  efficiently  recognizable,  prefix-free  set 
of  strings,  or  documents. 

As  an  example,  if  Alice  and  Bob  are  communicating  over  a  computer  network,  they 
might  run  the  TCP  protocol,  in  which  case  they  communicate  by  sending  “packets” 
according  to  a  format  which  specifies  fields  like  a  source  and  destination  address, 
packet  length,  and  sequence  number. 

Once  we  have  specified  what  kinds  of  strings  Alice  and  Bob  send  to  each  other, 
we  also  need  to  specify  the  probability  that  Ward  will  assign  to  each  document.  The 
simplest  notion  might  be  to  model  the  innocent  communications  between  Alice  and 
Bob  by  a  stationary  distribution:  each  time  Alice  communicates  with  Bob,  she  makes 
an  independent  draw  from  a  probability  distribution  C  and  sends  it  to  Bob.  Notice 
that  in  this  model,  all  orderings  of  the  messages  output  by  Alice  are  equally  likely. 
This  does  not  match  well  with  our  intuition  about  real-world  communications;  if  we 
continue  the  TCP  analogy,  we  notice,  for  example,  that  in  an  ordered  list  of  packets 
sent  from  Alice  to  Bob,  each  packet  should  have  a  sequence  number  which  is  one 
greater  than  the  previous;  Ward  would  become  very  suspicious  if  Alice  sent  all  of  the 
odd-numbered  packets  first,  and  then  all  of  the  even. 

Thus,  we  will  use  a  notion  of  a  channel  which  models  a  prior  distribution  on  the 
entire  sequence  of  communication  from  one  party  to  another: 

Definition  2.14.  A  channel  is  a  distribution  on  sequences  s  G  Dn . 

Any  particular  sequence  in  the  support  of  a  channel  describes  one  possible  outcome 
of  all  communications  from  Alice  to  Bob  -  the  list  of  all  packets  that  Alice’s  computer 
sends  to  Bob’s.  The  process  of  drawing  from  the  channel,  which  results  in  a  sequence 
of  documents,  is  equivalent  to  a  process  that  repeatedly  draws  a  single  “next”  docu¬ 
ment  from  a  distribution  consistent  with  the  history  of  already  drawn  documents  -  for 


22 


example,  drawing  only  packets  which  have  a  sequence  number  that  is  one  greater  than 
the  sequence  number  of  the  previous  packet.  Therefore,  we  can  think  of  communica¬ 
tion  as  a  series  of  these  partial  draws  from  the  channel  distribution,  conditioned  on 
what  has  been  drawn  so  far.  Notice  that  this  notion  of  a  channel  is  more  general  than 
the  typical  setting  in  which  every  symbol  is  drawn  independently  according  to  some 
fixed  distribution:  our  channel  explicitly  models  the  dependence  between  symbols 
common  in  typical  real-world  communications. 


Let  C  be  a  channel.  We  let  Ch  denote  the  marginal  channel  distribution  on  a  single 
document  from  D  conditioned  on  the  history  h  of  already  drawn  documents;  we  let 
Clh  denote  the  marginal  distribution  on  sequences  of  /  documents  conditioned  on  h. 
Concretely,  for  any  d  G  D,  we  will  say  that 


'-'h 


Ylse{(h,d)}xD*  Prck 
1 ~2s&{h}xD *  Prc[s] 


and  that  for  any  d  G  dl, 

p  -j  =  Pr^M 

C'h  LseWxD*PrcM 

When  we  write  “sample  x  <—  Crf'  we  mean  that  a  single  document  should  be  returned 
according  to  the  distribution  conditioned  on  h.  When  it  is  not  clear  from  context,  we 
will  use  CA^B,h  to  denote  the  channel  distribution  on  the  communication  from  party 
A  to  party  B. 


Informativeness 

We  will  require  that  a  channel  satisfy  a  minimum  entropy  constraint  for  all  histories. 
Specifically,  we  require  that  there  exist  constants  L>0,  (3>0,a>0  such  that  for  all 
h  G  DL,  either  Pr c[h\  =  0  or  >  a.  If  a  channel  does  not  satisfy  this  property, 

then  it  is  possible  for  Alice  to  drive  the  information  content  of  her  communications 
to  0,  so  this  is  a  reasonable  requirement.  We  say  that  a  channel  satisfying  this 
condition  is  (L,  a,  (3) -informative,  and  if  a  channel  is  (L,  a,  /3)-informative  for  all  L  > 
0,  we  say  it  is  (a,  (3) -always  informative,  or  simply  always  informative.  Note  that 
this  definition  implies  an  additive-like  property  of  minimum  entropy  for  marginal 
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distributions,  specifically,  >  la  .  For  ease  of  exposition,  we  will  assume 

channels  are  always  informative  in  the  remainder  of  this  dissertation;  however,  our 
theorems  easily  extend  to  situations  in  which  a  channel  is  L-informative.  The  only 
complication  in  this  situation  is  that  there  will  be  a  bound  in  terms  of  ( L,a,/3 )  on 
the  number  of  bits  of  secret  message  which  can  be  hidden  before  the  channel  runs  out 
of  information. 

Intuitively,  L-informativeness  requires  that  Alice  always  sends  at  least  L  non-null 
packets  over  her  TCP  connection  to  Bob,  and  at  least  one  out  of  every  f3  packets  she 
sends  has  some  probable  alternative.  Thus,  we  are  requiring  that  Alice  always  says 
at  least  L/ f3  “interesting  things”  to  Bob. 

Channel  Access 

In  a  multiparty  setting,  each  ordered  pair  of  parties  (P,  Q)  will  have  their  own  channel 
distribution  Cp^Q.  To  demonstrate  that  it  is  feasible  to  construct  secure  protocols 
for  steganography,  we  will  assume  that  party  A  has  oracle  access  to  marginal  channel 
distributions  Ca^b^  for  every  other  party  B  and  history  h.  This  is  reasonable,  because 
if  Alice  can  communicate  innocently  with  Bob  at  all,  she  must  be  able  to  draw  from 
this  distribution;  thus  we  are  only  requiring  that  when  using  steganography,  Alice 
can  “pretend”  she  is  communicating  innocently. 

On  the  other  hand,  we  will  assume  that  the  adversary,  Ward,  knows  as  much  as 
possible  about  the  distribution  on  innocent  communications.  Thus  he  will  be  allowed 
oracle  access  to  marginal  channel  distributions  Cp^q^h  for  every  pair  P,  Q  and  every 
history  h.  In  addition,  the  adversary  may  be  allowed  access  to  an  oracle  which  on 
input  ( d ,  h,  l )  G  D* ,  returns  an  l- bit  representation  of  Pr ch[d\- 

These  assumptions  allow  the  adversary  to  learn  as  much  as  possible  about  any 
channel  distribution  but  do  not  require  any  legitimate  participant  to  know  the  dis¬ 
tribution  on  communications  from  any  other  participant.  We  will,  however,  assume 
that  each  party  knows  (a  summary  of)  the  history  of  communications  it  has  sent  and 
received  from  every  other  participant;  thus  Bob  must  remember  some  details  about 
the  entire  sequence  of  packets  Alice  sends  to  him. 
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Etc. . . 


We  will  also  assume  that  cryptographic  primitives  remain  secure  with  respect  to 
oracles  which  draw  from  the  marginal  channel  distributions  Ca-^bji-  Thus  channels 
which  can  be  used  to  solve  the  hard  problems  that  standard  primitives  are  based  on 
must  be  ruled  out.  In  practice  this  is  of  little  concern,  since  the  existence  of  such 
channels  would  have  previously  led  to  the  conclusion  that  the  primitive  in  question 
was  insecure. 

Notice  that  the  set  of  documents  need  not  be  literally  interpreted  as  a  set  of 
bitstrings  to  be  sent  over  a  network.  In  general,  documents  could  encode  any  kind  of 
information,  including  things  like  actions  -  such  as  accessing  a  hard  drive,  or  changing 
the  color  of  a  pixel  -  and  times  -  such  as  pausing  an  extra  \  second  between  words 
of  a  speech.  In  the  single-party  case,  our  theory  is  general  enough  to  deal  with  these 
situations  without  any  special  treatment. 


2.4  Bidirectional  Channels:  modeling  interaction 

Some  of  our  protocols  require  an  even  more  general  definition  of  communications,  to 
account  for  the  differences  in  communications  caused  by  interaction.  For  example,  if 
Alice  is  a  web  browser  and  Bob  is  a  web  server,  Alice’s  packets  will  depend  on  the 
packets  she  gets  from  Bob:  if  Bob  sends  Alice  a  web  page  with  links  to  a  picture,  then 
Alice  will  also  send  Bob  a  request  for  that  picture;  and  Alice’s  next  request  might 
more  likely  be  a  page  linked  from  the  page  she  is  currently  viewing.  To  model  this 
interactive  effect  on  communications,  we  will  need  a  slightly  augmented  model.  The 
main  difference  is  that  this  channel  is  shared  among  two  participants  and  messages 
sent  by  each  participant  might  depend  on  previous  messages  sent  by  either  one  of 
them.  To  emphasize  this  difference,  we  use  the  term  bidirectional  channel. 

Messages  are  still  drawn  from  a  set  D  of  documents.  For  simplicity  we  assume 
that  time  proceeds  in  discrete  timesteps.  Each  party  P  G  {Po,  P\}  maintains  a  history 
h.p,  which  represents  a  timestep-ordered  list  of  all  documents  sent  and  received  by  P. 
We  call  the  set  of  well- formed  histories  7i.  We  associate  to  each  party  P  a  family  of 
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probability  distributions  Cp  =  {Ch}hen  011  D. 

The  communication  over  a  bidirectional  channel  B  =  (D,7i,Cp°  ,CPl)  proceeds 
as  follows.  At  each  timestep,  each  party  P  receives  messages  sent  to  them  in  the 
previous  timestep,  updates  lip  accordingly,  and  draws  a  document  d  <—  Cpp  (the 
draw  could  result  in  the  empty  message  _L,  signifying  that  no  action  should  be  taken 
that  timestep).  The  document  d  is  then  sent  to  the  other  party  and  hp  is  updated. 
We  assume  for  simplicity  that  all  messages  sent  at  a  given  timestep  are  received  at 
the  next  one.  Denote  by  Cpp  the  distribution  Cpp  conditioned  on  not  drawing  _L. 
We  will  consider  families  of  bidirectional  channels  {Bk}k>0  such  that:  (1)  the  length 
of  elements  in  Dk  is  polynomially-bounded  in  k ;  (2)  for  each  h  G  Hk  and  party  P, 
either  Pr [Cp  =_L]  =  1  or  Pr[C^  =_L]  <1  —  5,  for  constant  5;  and  (3)  there  exists  a 
function  £(k)  =  cn(logA;)  so  that  for  each  h  e  7ik,  Poo((PiT)fc  7^-L)  >  £(k)  (that  is, 
there  is  some  variability  in  the  communications). 

Alternatively,  a  bi-directional  channel  can  be  thought  of  as  a  distribution  on  in¬ 
finite  sequences  of  pairs  from  D'  x  D' ,  where  D'  =  U  {!},  and  the  marginal 
distributions  are  distributions  on  the  individual  documents  in  a  pair. 

We  assume  that  party  P  can  draw  from  Cp  for  any  history  h,  and  that  the  adver¬ 
sary  can  draw  from  Cp  for  every  party  P  and  history  h.  We  assume  that  the  ability  to 
draw  from  these  distributions  does  not  contradict  the  cryptographic  assumptions  that 
our  results  are  based  on.  In  the  rest  of  the  dissertation,  all  interactive  communica¬ 
tions  will  be  assumed  to  conform  to  the  bidirectional  channel  structure:  parties  only 
communicate  by  sending  documents  from  D  to  each  other  and  parties  not  running  a 
protocol  communicate  according  to  the  distributions  specified  by  B.  Parties  running 
a  protocol  strive  to  communicate  using  sequences  of  documents  that  appear  to  come 
from  B.  As  a  convention,  when  B  is  compared  to  another  random  variable,  we  mean 
a  random  variable  which  draws  from  the  process  B  the  same  number  of  documents 
as  the  variable  we  are  comparing  it  to. 

Bidirectional  channels  provide  a  model  of  the  distribution  on  communications 
between  two  parties  and  are  general  enough  to  express  almost  any  form  of  communi¬ 
cation  between  the  parties. 
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Chapter  3 


Symmetric-key  Steganography 


Symmetric-key  steganography  is  the  most  basic  setting  for  steganography:  Alice  and 
Bob  possess  a  shared  secret  key  and  would  like  to  use  it  to  exchange  hidden  messages 
over  a  public  channel  so  that  Ward  cannot  detect  the  presence  of  these  messages. 
Despite  the  apparent  simplicity  of  this  scenario,  there  has  been  little  work  on  giving 
a  precise  formulation  of  steganographic  security.  Our  goal  is  to  give  such  a  formal 
description. 

In  Section  3.1,  we  give  definitions  dealing  with  the  correctness  and  security  of 
symmetric-key  steganography.  Then  we  show  in  Section  3.2  that  these  notions  are 
feasible  by  giving  constructions  which  satisfy  them,  under  the  assumption  that  pseu¬ 
dorandom  function  families  exist.  Finally,  in  section  3.3,  we  explore  the  necessary 
conditions  for  the  existence  of  secure  symmetric-key  steganography. 


3.1  Definitions 

We  will  first  define  a  stegosystem  in  terms  of  syntax  and  correctness,  and  then  proceed 
to  a  security  definition. 

Definition  3.1.  (Stegosystem)  A  steganographic  protocol  S,  or  stegosystem,  is  a 
pair  of  probabilistic  algorithms: 

•  S. Encode  (abbreviated  SE )  takes  as  input  a  key  K  e  {0,  l}fc,  a  string  m  € 
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{0, 1}*  (the  hiddentext ),  and  a  message  history  h. 

SE(K,m,  h )  returns  a  sequence  of  documents  si||s2||  -  •  ■  ||sj  (the  stegotext )  from 
the  support  of  Clh. 

•  S. Decode  (abbreviated  SD)  takes  as  input  a  key  K,  a  sequence  of  documents 
Si 1 1 s2 1 1  ■  ■  ■  || si,  and  a  message  history  h. 

SD(K ,  s,  h )  returns  a  hiddentext  m  G  {0, 1}*. 

3.1.1  Correctness 

Of  course,  in  order  for  a  stegosystem  to  be  useful,  it  must  be  correct:  when  using 
the  same  key  and  history,  decoding  should  recover  any  encoded  message,  most  of  the 
time: 

Definition  3.2.  (Correctness)  A  stegosystem  S  is  correct  if  for  every  polynomial 
p[k),  there  exists  a  negligible  function  p{k)  such  that  SE  and  SD  also  satisfy  the 
relationship: 

Vm  E  {0,  l}p(fc),  h  E  D*  :  Pr (SD(K,  SE{K ,  m,  h ),  h)  =  m)  >  1  -  n{k)  , 

where  the  randomization  is  over  the  key  K  and  any  coin  tosses  of  SE,  SD,  and  the 
oracles  accessed  by  SE,SD. 

An  equivalent  approach  is  to  require  that  for  any  single-bit  message,  decoding 
correctly  recovers  an  encoded  bit  with  probability  bounded  away  from  In  this  case, 
multiple  encodings  under  independent  keys  can  be  combined  with  error-correcting 
codes  to  make  the  probability  of  single-bit  decoding  failure  negligible  in  k  (we  take 
a  similar  approach  in  our  feasibility  result).  If  the  probability  of  decoding  failure  for 
a  single-bit  message  is  a  negligible  function  p{k),  then  for  any  polynomial  p(k),  a 
union  bound  is  sufficient  to  show  that  the  probability  of  decoding  failure  for  p(k)~ bit 
messages  is  at  most  p(k)p,(k),  which  is  still  negligible  in  k. 


3.1.2  Security 


Intuitively,  what  we  would  like  to  require  is  that  no  efficient  warden  can  distinguish 
between  stegotexts  output  by  SE  and  covertexts  drawn  from  the  channel  distribution 
Ch-  As  we  stated  in  Section  2.3,  we  will  assume  that  W  knows  the  distribution  Ch ; 
we  will  also  allow  W  to  know  the  algorithms  involved  in  S  as  well  as  the  history  h  of 
Alice’s  communications  to  Bob.  In  addition,  we  will  allow  W  to  pick  the  hiddentexts 
that  Alice  will  hide,  if  she  is  in  fact  producing  stegotexts.  Thus,  W s  only  uncertainty 
is  about  the  key  K  and  the  single  bit  denoting  whether  Alice’s  outputs  are  stegotexts 
or  covertexts. 

As  with  encryption  schemes,  we  will  model  an  attack  against  a  stegosystem  as  a 
game  played  by  a  passive  warden,  W,  who  is  allowed  to  know  the  details  of  S  and 
the  channel  C. 

Definition  3.3.  (Chosen  Hiddentext  Attack)  In  a  chosen  hiddentext  attack,  II'  is 
given  access  to  a  “mystery  oracle”  M  which  is  chosen  from  one  of  the  following 
distributions: 

1.  ST:  The  oracle  ST  has  a  uniformly  chosen  key  K  <—  Uk  and  responds  to  queries 
(m,  h )  with  a  StegoText  drawn  from  SE(K,m,  h ). 

2.  CT:  The  oracle  CT  has  a  uniformly  chosen  K  as  well,  and  responds  to  queries 
(m,  h )  with  a  CoverText  of  length  t  =  \SE(K,  m,  h)  |  drawn  from  C jp 

WM{lk)  outputs  a  bit  which  represents  its  guess  about  the  type  of  M. 

We  define  W’s  advantage  against  a  stegosystem  S  for  channel  C  by 

Advs,c,w(k)  =  |Pr[ICST(lA:)  =  1]  -  Pr[WCT(lk)  =  1]|  , 

where  the  probability  is  taken  over  the  randomness  of  ST,  CT,  and  W. 

Define  the  insecurity  of  S  with  respect  to  channel  C  by 

InSec ?iC(t,  q,  l,  k)  =  ^  max  {  Adv^fi>w(k) }  , 

where  W(t,  q,  l )  denotes  the  set  of  all  adversaries  which  make  at  most  q(k)  queries 
totaling  at  most  l(k)  bits  (of  hiddentext)  and  running  in  time  at  most  t(k). 
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Definition  3.4.  (Steganographic  secrecy)  A  Stegosystem  Sk  is  called  (t,  q,  l,  e )  stegano- 
graphically  secret  against  chosen  hiddentext  attack  for  the  channel  C  ((t,q,l,e)- SS- 
CHA-C)  if  InSec J c{t,  g,  /,  k)  <  e. 

Definition  3.5.  (Universal  Steganographic  Secrecy)  A  Stegosystem  S  is  called  ( t ,  q ,  /, 
e) -universally  steganographically  secret  against  chosen  hiddentext  attack  (( t,q,l,e )- 
USS-CHA)  if  it  is  (t,  q,  l,  e)-SS-CHA-C  for  every  always- informative  channel  C. 

A  stegosystem  is  called  universally  steganographically  secret  USS-CHA  if  for  every 
channel  C  and  for  every  PPT  W,  Adv^  c  w(k)  is  negligible  in  k. 

Note  that  steganographic  secrecy  can  be  thought  of  roughly  as  encryption  which 
is  indistinguishable  from  arbitrary  distributions  T>. 


3.2  Constructions 

For  our  feasibility  results,  we  have  taken  the  approach  of  assuming  a  channel  which  can 
be  drawn  from  freely  by  the  stegosystem;  most  current  proposals  for  stegosystems  act 
on  a  single  sample  from  the  channel  (one  exception  is  [16]).  While  it  may  be  possible 
to  define  a  stegosystem  which  is  steganographically  secret  or  robust  and  works  in  this 
style,  this  is  equivalent  to  a  system  in  our  model  which  merely  makes  a  single  draw  on 
the  channel  distribution.  Further,  we  believe  that  the  lack  of  reference  to  the  channel 
distribution  may  be  one  of  the  reasons  for  the  failure  of  many  such  proposals  in  the 
literature. 

It  is  also  worth  noting  that  we  assume  that  a  stegosystem  has  very  little  knowledge 
of  the  channel  distribution  —  SE  may  only  sample  from  an  oracle  according  to  the 
distribution.  This  is  because  in  many  cases  the  full  distribution  of  the  channel  has 
never  been  characterized;  for  example,  the  oracle  may  be  a  human  being,  or  a  video 
camera  focused  on  some  complex  scene.  However,  our  definitions  do  not  rule  out 
encoding  procedures  which  have  more  detailed  knowledge  of  the  channel  distribution. 

Sampling  from  Ch  might  not  be  trivial.  In  some  cases  the  oracle  for  Ch  might  be  a 
human,  and  in  others  a  simple  randomized  program.  We  stress  that  it  is  important  to 
minimize  the  use  of  such  an  oracle,  because  oracle  queries  can  be  extremely  expensive. 
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In  practice,  this  oracle  is  also  the  weakest  point  of  all  our  constructions.  We  assume 
the  existence  of  a  perfect  oracle:  one  that  can  perform  independent  draws,  one  that 
can  be  rewound,  etc.  This  assumption  can  be  justified  in  some  cases,  but  not  in 
others.  If  the  oracle  is  a  human,  the  human  may  not  be  able  to  perform  independent 
draws  from  the  channel  as  is  required  by  our  constructions.  A  real  world  Warden 
would  use  this  to  his  advantage.  We  therefore  stress  the  following  cautionary  remark: 
our  protocols  will  be  shown  to  be  secure  under  the  assumption  that  the  channel  oracle 
is  perfect. 


3.2.1  A  Stateful  Construction 

Setup:  We  assume  Alice  and  Bob  share  a  channel  and  let  C  denote  the  channel 
distribution.  We  write  d  <—  Ch  to  denote  the  action  of  sampling  d  from  the  marginal 
distribution  Ch  (via  oracle  access).  We  let  FK( •,•)  denote  a  pseudorandom  function 
family  indexed  by  k  —  \K\  key  bits  which  maps  documents  to  bits,  i.e.  F  :  (0,  l}fc  x 
(0, 1}*  — >  {0, 1}.  We  let  Alice  and  Bob  share  a  secret  key  K  G  (0,  l}fc  and  also  a 
synchronized  d  bit  counter  N  (which  need  not  be  secret).  The  following  procedures 
allow  Alice  and  Bob  to  encode  and  decode  a  single  bit  and  to  send  it  via  their  shared 
channel. 

Construction  3.6.  OneBit  Stegosystem 


Procedure  OneBit .  Encode: 

Input:  K  G  (0,  l}k,  m  G  (0, 1},  h  G  D*,  N 
for  i  —  1 ...  I  do 
draw  di,  d't  <—  Ch 
If  Fk(N ,  df)  =  m  then 
set  Si  =  di 
else 

set  Si  =  dl 

set  h  =  ( h,Si ),  increment  N 

Output:  si,  s2,  ■  ■  ■  ,sg 


Procedure  OneBit .  Decode: 

Input:  K  G  (0,  l}fc,  si, . . .  ,  sg,  N 

set  C  =  0 

for  i  —  l ...  I  do 

set  C  =  C  +  Fk(N,  sf) 
increment  N 
if  C  >  i/2  then 
set  m  —  1 
else 

set  rn  —  0 

Output:  m 


The  idea  behind  this  construction  is  simple.  The  encoding  algorithm  makes  £  copies 
of  the  bit  m.  For  the  ith  copy,  the  encoder  attempts  to  find  a  document  d  such  that 
Fx(i,  d)  =  m,  by  drawing  d  <—  Ch-  If  the  encoder  fails,  it  draws  a  second  d!  <—  Ch  and 
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sends  d!  instead  of  d.  The  decoder  recovers  l  bits  by  applying  Fk  to  each  bit,  and 
outputs  1  if  the  majority  of  the  bits  are  1,  and  0  otherwise.  Intuitively,  this  works 
because  we  expect  each  to  map  to  the  bit  m  with  probability  about  |,  and  so  the 
probability  of  a  decoding  failure  should  be  negligible  in  t. 

Lemma  3.7.  Let  si, . . .  ,sg  <—  SE(K,m,h )  and  suppose  F  is  a  uniformly  chosen 
function.  Then  for  any  d  E  D, 


Pr[sj  =  d]  =  Pr  [d]  . 

h-i 

Proof.  The  event  Sj  =  d  happens  exactly  when  di  —  d  and  Fk(N  +  i,df)  =  m  or 
when  d!i  =  d  and  Fk(N  +  i,  di)  =  1  —  m.  Because  di  and  d)  are  drawn  independently 
from  anfl  independently  of  Fk,  and  the  conditions  on  Fk(N  +  i,  •)  are  mutually 
exclusive,  we  get: 


Pr  [sj 


d]  =  Pr  [(FK(N  +  i,di) 
=  Pr [Fk(N  +  i,  di)  ■■ 
=  Pt[Fk(N  +  i,  di)  ■■ 


=  Pr[<*] 


-  m  A  di  —  d)  V  (. Fk(N  +  i,  df)  —  1  —  m  A  d[  —  d)] 
m  A  di  —  d]  +  Pr[FA'(A^  +  i,  df)  —  1  —  m  A  d\  =  d] 
m\  Pr[d*  —  d]  +  Pi[Fk(N  +  i,df)  =  1  —  m]  Pr [d)  =  d] 


□ 


Lemma  3.8.  Let  si,...  ,S£  <—  SE(K,m,  h),  and  suppose  F  is  a  uniformly  chosen 
function.  Then  for  any  i , 

Pr[FK(N  +  i,Si)  =  m]  =  \  +  \  Pr  [d0  ±  di] 

z  4  do,di^Ch. 

Proof.  Consider  the  two  documents  di,  d)  that  SE  draws  in  iteration  i.  It  will  be 
the  case  that  Fk(N  +  i,Si)  =  m  exactly  when  either  Fk(N  +  i,df)  =  m,  which 
happens  with  probability  |,  or  when  Fk(N  +  i,  df)  =  1  —  m  and  Fk(N  +  i,  d'f)  =  m, 
which  happens  with  probability  |  when  di  ^  df  and  with  probability  0  otherwise. 
The  theorem  applies  for  any  i  because  the  function  Fk(N  +  i,  ■)  is  independent  of 
Fk(N  +  j,  •)  for  i  7^  j  when  Fk  is  uniformly  chosen.  □ 
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Lemma  3.9.  Suppose  C  is  (a, /3)~ always  informative  and  F  is  a  uniformly  chosen 
function.  Then  we  have 

Pr[FK(N  +  i,  Si)  =  m]  >  ^  +  ^(1  -  2~"//3) 

Proof.  Because  C  is  (a,  j3)~  informative,  for  any  h  and  any  sequence  di, . ,dp <—  Cf , 
there  must  be  a  j  between  0  and  (3  —  1  such  that  H^C^idots,^))  >  «/ (3.  If  this  were 
not  the  case,  then  we  would  have  h  such  that  i^oo(Cf)  <  a.  Thus  for  a  string  of 
length  £  drawn  from  Cfh,  there  must  be  £/ (3  positions  i  which  have  H^Ch,  )  >  a/ f3.  In 
these  positions,  the  collision  probability  is  at  most  2~akf  In  the  other  positions,  the 
collision  probability  is  at  most  1.  Applying  the  previous  lemma  yields  the  result.  □ 

Theorem  3.10.  If  C  is  (a,  (3) -informative,  then 

Pr [SD(K,  SE(K ,  m,  h ),  h)  ±  m]  <  e~l1  +  InSec^rf(T5E£,  2£,  k)  , 

where  7  =  2(^(1  —  2~a^))2  and  Tse  is  the  time  required  to  execute  the  inner  loop  of 

OneBit . Encode. 

Proof.  Lemma  3.9  implies  that  if  FK  is  a  random  function,  then 

Pr [SD(K,  SE(K ,  m,  h),  h)  ±  m]  <  e~^  . 

We  describe  a  PRF-adversary  A  for  F  that  has  advantage 

|Pr [SD(K,  SE(K,  m,  h),  h)  ±  m]  -  e~^\  . 

A  uses  its  function  oracle  /  to  emulate  the  action  of  SE  encoding  a  uniformly  chosen 
bit  m  under  history  h,  counting  the  number  of  documents  with  f(N  +  i,sf)  =  m.  If 
fewer  than  \  of  the  st  satisfy  f(N  +  i,  Si)  =  m,  A  outputs  1,  otherwise  A  outputs  0. 
Lemma  3.9  shows  that  Pr[A-I(lfc)  =  1]  <  e~ie,  whereas 

Pr[AFfe(lfc)  =  1]  =  Pr [SD(K,  SE(K ,  m,  h),  h )  ^  m]  . 

So  by  definition  of  advantage, 

Adv^fF(&)  >  \Pt[SD(K,  SE{K ,  m,  h),  h)  ±  m ]  -  e“7<|  , 

and  it  follows  that  this  quantity  is  at  most  InSecPp(TIME(A),QUERIES(A),k). 
But  A  runs  in  time  £Tse  and  makes  2£  function-oracle  queries,  which  proves  the 
theorem.  □ 
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Extending  to  multiple-bit  messages 


For  completeness,  we  now  state  the  obvious  extension  of  the  stegosystem  OneBit  to 
multiple-bit  hiddentexts.  We  assume  the  same  setup  as  previously. 

Construction  3.11.  MultiBit  Stegosystem 


Procedure  MultiBit .  Encode: 

Input:  K  G  {0,  l}fc,  m  G  {0, 1}L>  h  G  D* ,  N 
for  i  —  1 ...  L  do 

draw  st  <—  OneBit. Encode(/l,  m*,  h,  N ) 
set  h  =  ( h,Si ),  N  =  N  +  £ 

Output:  Si,S2,  •  •  •  ,S|m| 


Procedure  MultiBit .  Decode: 

Input:  K  G  {0,  l}k,  si, . . .  ,  su,  N 
for  i  —  1 ...  L  do 
set  Si  =  S(j_ i)£, . . .  ,  Sj£- 1 
set  rrii  =  OneBit. Decode(/i,  Si,  N) 
set  N  =  N  +  £ 

Output:  mi||  •  •  •  || rriL 


The  MultiBit  stegosystem  works  by  simply  repeatedly  invoking  OneBit  on  the  indi¬ 
vidual  bits  of  the  message  m. 

Theorem  3.12.  If  C  is  (a,  0)  -informative,  then 

Pt[SD(K,  SE(K,  m,  h,  N ),  N)  ±  m]  <  |m|(e“^)  +  InSec^rf(|m|Ts^,  2\m\£,  k)), 

where  7  =  2(^(1  —  2~a^3))2  and  Tse  is  the  time  required  to  execute  the  inner  loop  of 

OneBit . Encode. 


Proof.  Because  each  st  is  generated  using  a  different  value  of  the  counter  N,  each 
execution  of  the  inner  loop  of  OneBit  .Encode  is  independent  when  called  with  a 
uniformly  chosen  function.  Thus  when  a  uniformly  chosen  function  is  used,  executing 
OneBit .  Encode  |m|  times  with  different  bits  is  the  same  as  using  |m|  independent 
keys,  each  with  failure  probability  at  most  e-7  ,  a  union  bound  shows  that  for  a 
random  function  /,  Pv[SDf(SEf(m,  h,  N),  N)  ^  m]  <  |m|(e-7^).  To  complete  the 
proof,  we  apply  the  same  technique  as  in  the  proof  of  Theorem  3.10  □ 

We  would  like  to  make  a  security  claim  about  the  stegosystem  MultiBit,  but 
because  the  stegosystem  does  not  fit  our  syntactic  definition,  we  need  a  slightly  mod¬ 
ified  version  of  the  chosen-hiddentext  attack  game.  We  will  modify  the  definition  of 
the  oracle  distribution  ST  so  that  the  oracle’s  private  state  will  include  the  value  N , 
initialized  to  0  and  properly  incremented  between  queries.  With  this  modified  game 
in  mind,  we  can  state  our  theorem  about  the  security  of  MultiBit: 
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Theorem  3.13.  Let  k  =  \K\.  For  any  l  <  2d: 

InSec“  itiBi tiC(t,  q,  //,  k)  <  InSec £rf(t  +  i\iTSEi  2£fi,  k ) 

Proof.  For  any  warden,  W,  running  in  time  t  and  making  q  queries  totaling  ft  bits, 
we  construct  a  corresponding  PRF  adversary  A,  where 

AdvMuitiBit  ,c,w(k)  =  AdvFfA(k) 

The  running  time  of  A  is  the  running  time  of  warden  W  plus  the  time  to  make  t/i 
passes  through  the  inner  loop  of  OneBit .  Encode,  or  £)iTse •  The  number  of  samples 
taken  from  C  is  at  most  2£fj,. 

Ak  simply  runs  W,  playing  the  role  of  the  oracle  M  in  the  chosen-hiddentext  attack 
game.  To  respond  to  W s  queries,  A  emulates  the  encoding  procedure  MultiBit .  Encode 
using  the  function  oracle  /  in  place  of  FK(-)-,  A  outputs  the  same  bit  as  W.  We  con¬ 
sider  the  two  cases  for  the  oracle  /: 

•  When  /  is  a  uniformly  chosen  function,  then  by  lemma  3.7,  the  documents 
output  by  OneBit .  Encode  are  distributed  exactly  according  to  C.  So 

Pr [Af  (lfc)  =  1]  =  Pv[WCT(lk)  =  1]  . 

•  When  /  is  chosen  from  FK(-,  •),  the  documents  submitted  to  W  are  distributed 
identically  to  the  output  of  MultiBit,  by  the  definition  of  the  construction. 
Thus 

Pr[AFK(lk)  =  1]  =  Pr[WST(lk)  =  1]  . 


So  the  advantage  of  A  is: 

AdvPp  A(k)  =  |Pr[AFK(lfc)  =  1]  -  Pr[A/(lfc)  =  1]| 

=  \Pr[WST(lk)  =  1]  -  Pr[WCT{lk)  =  1] 

=  Ad VuultiBit,C,W(k) 


And  the  theorem  follows  by  the  definition  of  insecurity. 


□ 
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Corollary  3.14.  If  Fk(-,-)  is  pseudorandom  then  MultiBit  is  universally  stegano- 
graphically  secret  against  chosen-hiddentext  attacks. 

Proof.  If  F  is  pseudorandom  then  for  all  PPT  adversaries  A,  Advp  A(k)  is  negligible 
in  k.  The  definition  of  insecurity  and  Theorem  3.13  imply  that  for  any  cover  channel, 
C,  the  advantage  of  a  warden  will  be  negligible  in  k.  This,  in  turn,  implies  the 
corollary.  □ 

Removing  the  need  for  state 

Having  extended  our  construction  to  use  multiple-bit  messages,  we  can  now  re¬ 
move  the  requirement  for  Alice  and  Bob  to  share  a  synchronized  counter  N.  This 
construction  will  utilize  the  same  setup  as  the  previous  constructions,  except  that 
Alice  and  Bob  now  share  a  second  key  k  G  {0,  l}fc  to  a  pseudorandom  function 
G  :  {0,  l}k  x  Dk  ->  {0,  l}'*/2. 

Construction  3.15.  NoState  Stegosystem 

Procedure  NoState .  Encode: 

Input:  K,  k  G  {0,  l}fc,  m  €  {0, 1}L,  h  G  D* 

Si^Ck  ' 

N  —  2d/2GK{Si) 

S2  MultiBit. Encode(/l,  m,  (. h ,  Si),  N) 

Output:  Si,S2 

The  NoState  stegosystem  works  by  choosing  a  long  sequence  from  Ch  (long  enough 
that  it  is  unlikely  to  repeat  in  the  chosen-hiddentext  attack  game)  and  uses  it  to  derive 
a  value  N,  which  is  then  used  as  the  state  for  the  MultiBit  stegosystem.  This  value 
is  always  a  multiple  of  2d /2,  so  that  if  the  value  derived  from  the  long  sequence  never 
repeats,  then  any  messages  of  length  at  most  2di2  will  never  use  a  value  of  N  used  by 
another  message. 

Theorem  3.16.  If  C  is  (a,  (3) -informative,  then 

Pr [SD(K,SE(K,m,h))  ±  m]  <  \m\{e~^)  PlnSecpf\\m\TsEI,2\m\£,k)), 

where  7  =  2(^(1  —  2~"//3))2  and  Tse  is  the  time  required  to  execute  the  inner  loop  of 

OneBit . Encode. 


Procedure  NoState  .Decode: 
Input:  K,  k  G  {0,  l}k,  S±,  S2 
N  =  2^0^) 

m  =  MultiBit. Decode(K,  S2,  N) 

Output:  m 
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Proof.  The  theorem  follows  directly  from  Theorem  3.12  □ 

Theorem  3.17.  If  C  is  (a,  (5) -informative,  then  for  any  q,fi  <  2d//2: 

InSec*soStateC(t,  q,  /j,  k)  <  InSec pf\t  +  qTG  +  t\iTSE,  2f/i,  fc) 

+  InSeCgf(f  +  f/i,  g,  fc) 

|  fiff  ^ry-d/2  |  2~akH3^ 

Proof.  We  reformulate  the  CT  oracle  in  the  chosen-hiddentext  attack  game  so  that  the 
oracle  has  a  key  k  <—  Uk  and  evaluates  GK  on  the  first  k  documents  of  its  reply  (S,  T) 
to  every  query.  Let  NC  denote  the  event  that  the  values  Gk(Si),  . . .  ,GK(Sq )  are  all 
distinct  during  the  chosen-hiddentext  attack  game  and  let  C  denote  the  complement 
of  NC. 

Let  W  be  any  adversary  in  W{t,  g,/i),  and  assume  without  loss  of  generality  that 
Pr[kLST(lfc)  =  1]  >  Pr\WCT{lk )  =  1].  We  wish  to  bound  W s  advantage  against  the 
stegosystem  NoState. 

Advf* at.,c,w(k)  =  Pr(WOT(l*)  =  1]  -  Pr[H'0T(l*)  =  1] 

=  (Pr[WST(lk)  =  1 1 NC]  Pr[NC]  +  Pr[W5T(lfc)  =  1 1 C]  Pr[C]) 

-  (Pr[WCT(lfc)  =  1 1 NC]  Pr[NC]  +  Pr[WCT(lfc)  =  1 1 C]  Pr[C]) 

<  (Pr[W5T(lfc)  =  1 1 NC]  Pr[NC]  -  Pr[WCT(lk)  =  1|NC]  Pr[NC]) 

+  Pr[C] 

<  |Pr[W5T(lfc)  =  1 1 NC]  -Pr[WCT(lfc)  =  1|NC]|  +  Pr[C] 

We  will  show  that  for  any  W  we  can  define  an  adversary  X  such  that 

Adv”ltlBltiCiX(*0  >  |Pr[H'ST(l‘)  =  1 1 NC]  -  Pr[H'0T(l‘)  =  1|NC]|  . 

X  plays  the  nonce-respecting  chosen  hiddentext  attack  game  against  Mult  iB it  by 
running  W  and  emulating  IP’s  oracle.  To  do  this,  X  picks  a  key  k  Uk,  and  when 
W  makes  the  query  (m,  h ),  X  draws  ^  Ck,  and  computes  N  =  2d^2GK(Si).  If  N 
is  the  same  as  some  previous  nonce  used  by  X,  X  halts  and  outputs  0.  Otherwise, 
X  queries  its  oracle  on  (m,  (h,  Si),  N )  to  get  a  sequence  S2,  and  then  responds  to  W 
with  S\,S2-  Notice  that 

Pr[XST(lfc)  =  1]  =  Pr[WST(lk)  =  1|NC]  , 
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and  likewise  that 


Vr[XCT(lk)  =  1]  =  Vr[WCT{lk)  =  1|NC]  . 

Thus  we  have  that 

Adv“ltlBit,CiX(*0  =  |Pr[H'ST(l‘)  =  1|NC]  -  Pr[H'CT(l‘)  =  1|NC]|  , 

and  since  X  makes  as  many  queries  (of  the  same  length)  as  W  and  runs  in  time 
t  +  qTc,  we  have  that 

|Pr[W/Sr(l*)  =  1 1 NC]  —  Pr[WCT(lk)  =  1|NC]|  <  InSec“ltlBitC(£  + 

<  InSeCprf(£  +  qTG  +  tfiTsE,  2  Cqi,k) 

by  Theorem  3.13.  Thus  we  need  only  to  bound  the  term  Pr[C]. 

Consider  a  game  played  with  the  warden  W  in  which  a  random  function  /  is  used 
in  place  of  the  function  GK,  and  let  C /  denote  the  same  event  as  C  in  the  previous 
game.  Let  Si,...  ,Sq  denote  the  fc- document  prefixes  of  the  sequences  returned  by 
the  oracle  in  the  chosen- hiddentext  attack  game  and  let  Nt  =  /(S*).  Then  the  event 
C f  happens  when  there  exist  i  ^  j  such  that  Nt  =  Nj,  or  equivalently  /(Sj)  =  f(Sj){ 
and  this  event  happens  when  S*  =  Sj  or  S)  ^  Sj  A  fiS,)  =  f(Sj).  Thus  for  a  random 
/, 

Pr[C/]  =  Pr[  \/  ((«  =  V  (S,;  +  S,  A  f(St)  =  /(S,)))] 

i<j<q 

<  E  Pr(S.  =  Sj]  +  Pr[/(Sj)  =  /(Sj)  A  (Si  7  Sj)] 

i<j<q 

<  (Pr[S,  =  Sj]  +  2~d'2) 

^  Q(.Q  ^ —o>k//3  _|_  2~d/‘2^ 

Finally,  observe  that  for  every  W  G  W(t,  q,  //)  we  can  construct  a  PRF-Adversary 
A  for  G  in  A(t  +  i/i,  q)  such  that 

Adv&M  >  Pr[C]  -  ]Pr[C,]|  . 

A  runs  W,  using  its  oracle  /  in  place  of  GK  to  respond  to  IP’s  queries.  A  outputs 
1  if  the  event  C /  occurs,  and  0  otherwise.  Notice  that  Pr|14G*(lfc)  =  1]  =  Pr[C]  and 
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Pr|y4^(lfc)  =  1]  =  Pr [C /] ,  which  satisfies  the  claim.  So  to  complete  the  proof,  we 
observe  that 

Pr[C]  <  |Pr[C]  -  Pr [Cf]  |  +  Pr[C/] 

<  InSec^rf(t  +  f'/i,  q ,  k)  +  Pr [C /] 

<  InSec^rf(t  +  i/i,  q,  k )  +  ^  ~  ^  (2"afc^  +  2-rf/2) 

□ 


3.2.2  An  Alternative  Construction 


The  following  protocol  also  satisfies  our  definition  for  universal  steganographic  se¬ 
crecy.  This  protocol  (up  to  small  differences)  is  not  new  and  can  be  found  in  [6];  an 
information  theoretic  version  of  the  protocol  can  also  be  found  in  [16]. 

Let  Ek(-,  •)  and  Dk(-)  denote  the  encryption  and  decryption  functions  for  a  cryp¬ 
tosystem  which  is  indistinguishable  from  random  bits  under  chosen  plaintext  attack 
(i.e.,  INDS-CPA)  [54],  Suppose  Alice  and  Bob  share  a  key  K  e  (0,  l}fc,  and  a  function 
/  such  that  A(f(Ch),Ui)  <  e  for  any  h.  One  example  of  such  a  function  would  be 
a  uniformly  chosen  element  of  a  universal  hash  family  mapping  Dk  — >  (0, 1};  then 
when  C  is  ( a ,  /^-informative,  we  would  have  e  <  21~*Acd2/b  except  with  negligible 
probability.  The  following  procedures  allow  encoding  and  decoding  of  messages  in 
a  manner  which  is  steganographically  secret  under  chosen  hiddentext  attack  for  the 
channel  distribution  C. 


Construction  3.18.  UHash  Stegosystem 


Procedure  UHash. Encode: 

Input:  key  K,  hiddentext  m.  history  h 
Let  c  =  Ek(iti) 

Parse  c  as  ci|  1 1C2 1  |i  •  •  •  |  |iQ 
for  i  —  1 ...  I  do 
set  j  —  0 
repeat: 
increment  j 

Si  *  C/i 

until  f(si)  =  Ci  or  j  =  \K\ 
set  h  =  ( h , 

Output:  si,s2,  ■  ■  ■  ,S£ 


Procedure  UHash. Decode: 

Input:  key  K,  Stegotext  si, . . .  ,st 
for  i  =  1 . . .  I  do 
set  Ci  =  f(si) 
set  c  =  Ci || c2 1|  •  ■  •  ||q. 

Output:  Dk(c) 
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The  idea  behind  this  construction  is  also  simple.  First,  the  encoding  algorithm 
encrypts  the  hiddentext  m  to  get  a  ciphertext  c  =  Ex{rn).  Next,  is  splits  the  cipher- 
text  c  into  single  bits.  Then  it  draws  documents  from  the  channel  until  it  finds  .S'i 
such  that  f(s\)  =  c\.  After  that  it  finds  s 2  such  that  /(S2)  =  C2,  and  S3,  and  so  on. 
This  continues  until  all  bits  of  c  have  been  encoded.  The  decoding  algorithm  simply 
applies  /  to  all  the  sf s  to  get  c  and  then  decrypts  with  Dk  to  recover  the  plaintext. 
Note  that  the  execution  time  for  SD  is  essentially  linear  in  l  and  the  execution  time 
for  SE  is  an  expected  0(1).  Also  note  that  our  assumption  of  an  “unbiased”  func¬ 
tion  implies  that  an  error  correcting  code  as  in  construction  3.15  is  unnecessary:  the 
probability  of  failure  here  is  at  most  (1/2  +  e/AL  In  the  following,  we  will  let  P(q,l) 
denote  the  total  number  of  bits  of  ciphertext  returned  by  encrypting  q  plaintexts  of 
total  length  l. 

Lemma  3.19.  For  any  warden  W  E  Wit.  q.  I).  we  can  construct  a  corresponding 
adversary  A  where 

AdvuHash,c,w(^)  <  Advc£paA(k)  +  • 

The  running  time  of  A  is  at  most  t  +  0(kl),  and  A  makes  q  encryption  queries  for  a 
total  of  /  bits  of  plaintext. 

Proof.  We  are  given  a  program  W  for  distinguishing  between  the  output  of  construc¬ 
tion  3.18  and  the  ordinary  traffic  of  the  channel,  and  an  oracle  for  sampling  blocks 
from  that  channel.  We  construct  a  program  A  which  plays  the  CPA  game  —  distin¬ 
guishing  an  Ex  oracle  from  a  uniform  $  oracle  —  with  nearly  the  same  advantage  as 
W.  A  simply  runs  W,  responding  to  his  queries  by  executing  the  encoding  procedure 
UHash.  Encode  using  its  oracle  in  place  of  Ex-  Consider  the  following  two  cases: 

•  0(m )  =  Ex(m).  Then  the  stegotexts  output  by  the  encoding  procedure  will  be 
identically  distributed  to  stegotexts  resulting  from  the  normal  use  of  construc¬ 
tion  3.18. 

•  0(m)  =  $(m)  is  chosen  uniformly  from  strings  of  appropriate  length.  Then  the 
stegotexts  output  by  the  encoding  procedure  will  be  £(/,  g)e-statistically  close 
to  samples  from  Ch ■  To  see  that  this  is  so,  imagine  instead  that  the  ith  bit  of 
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the  ciphertext,  ct  was  chosen  so  that  Pr[cj  =  0]  =  Pr[/(C/)i)  =  0].  In  this  case 
the  the  ith  stegotext  will  come  from  a  distribution  identical  to  C/,( .  But  since 
A (q,  Ui)  <  e,  it  must  be  the  case  that  A(sj,  C hf)  <  e  as  well,  by  proposition  2.4. 

Thus  A  can  simply  use  the  decision  of  W  to  gain  advantage  close  to  that  of  W. 
More  formally, 


Adv^(ife)  =  \Pr[AEK(lk)  =  1]  -  Pr[A$(lfc)  =  1] | 

=  |Pr[hP5T(lfc)  =  1]  -  Pr[A$(lfc)  =  1] | 

>  |Pr[IP5T(lfc)  =  1]  -  Pr[WCT(lk)  =  1]|  +£(q,l)e 

=  AdvuHash.c.m(fc)  + 


□ 

Theorem  3.20.  InSec^jashC(t,  q,  l,  k )  <  InSec^.pa(t  +  0(kl ),  q,  l,  k )  +  £(q,  l)e. 

Proof.  The  theorem  follows  from  Lemma  3.19  and  the  definition  of  insecurity.  □ 


3.3  Necessary  Conditions  for  Steganography 

The  previous  section  demonstrates  that  relative  to  an  oracle  for  C,  the  existence  of 
one-way  functions  is  sufficient  for  the  existence  of  secure  steganography.  In  this  section 
we  will  explore  weaker  definitions  of  steganographic  secrecy,  and  establish  two  results. 
First,  one-way  functions  are  necessary  for  steganography;  thus,  relative  to  a  channel 
oracle,  the  existence  of  one-way  functions  and  secure  steganography  are  equivalent. 
Second,  we  will  show  that  in  the  “standard  model,”  without  access  to  a  channel 
oracle,  the  existence  of  a  secure  stegosystem  implies  the  existence  of  a  program  which 
samples  from  ;  and  thus  in  the  standard  model,  secure  steganography  for  C  exists 
if  and  only  if  C\x  is  efficiently  sampleable. 
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3.3.1  Steganography  implies  one-way  functions 


To  strengthen  our  result,  we  develop  the  weaker  notion  of  security  against  known- 
hiddentext  attacks  (KHA).  In  a  (/,/i)-KHA  attack  against  distribution  T>,  the  adver¬ 
sary  is  given  a  history  h  of  length  /,  a  hiddentext  drawn  from  and  a  sequence 
of  documents  s  G  D \SE(K>mM\ .  The  adversary’s  task  is  to  decide  whether  s  <—  Ch  or 
s  <—  SE(K,m,  h ).  We  define  the  KHA-advantage  of  W  by 


Adv 


kha-D 

s,c,w 


C M,a ) 


Pr [W(h,m,SE(K,m,h))  =  1]  -  Pr[W(h,m,ClhSE{K’m’h)l)  =  1] 


and  say  that  S  is  secure  against  known  hiddentext  attack  with  respect  to  V  and  C  (SS- 
KHA-D-C)  if  for  every  PPT  W,  for  all  polynomially-bounded  l,g,  Adv^h^(k,  l(k), 
g[k))  is  negligible  in  k. 


Thus  a  stegosystem  is  secure  against  known-hiddentext  attack  if  given  the  history 
h,  and  a  plaintext  m,  an  adversary  cannot  distinguish  (asymptotically)  between  a 
stegotext  encoding  m  and  a  covertext  of  the  appropriate  length  drawn  from  Ch-  We 
will  show  that  one-way  functions  are  necessary  even  for  this  much  weaker  notion  of 
security.  In  order  to  do  so,  we  will  use  the  following  results  from  [33]: 


Definition  3.21.  ([33],  Definition  3.9)  A  polynomial-time  computable  function  /  : 
(0,  l}fc  — >  (0,  l}Afc)  js  called  a  false  entropy  generator  if  there  exists  a  polynomial-time 
computable  g  :  {0,  l}k'  — >  {0,  l}dfc)  such  that: 


1.  Hs(g(Uk 0)  >  Hs{f{Uk)),  and 

2.  f(Uk)  «  g{U'k) 

Thus,  a  function  is  a  false  entropy  generator  (FEG)  if  it’s  output  is  indistinguish¬ 
able  from  a  distribution  with  higher  (Shannon)  entropy.  It  is  shown  in  [33]  that  if 
FEGs  exist,  then  PRGs  exist: 

Theorem  3.22.  ([33],  Lemma  ^.16)  If  there  exists  a  false  entropy  generator,  then 
there  exists  a  pseudorandom  generator 

Theorem  3.23.  If  there  is  a  stegosystem.  S  which  is  SS-KHA-D-C  secure  for  some 
hiddentext  distribution  V  and  some  channel  C,  then  there  exists  a  pseudorandom 
generator,  relative  to  an  oracle  for  C. 
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Proof.  We  will  show  how  to  construct  a  false  entropy  generator  from  S. Encode,  which 
when  combined  with  Proposition  3.22  will  imply  the  result. 

Consider  the  function  /  which  draws  a  hiddentext  m  of  length  \k\ 2  from  T>,  and 
outputs  ( SE(K ,  m,  e),m).  Likewise,  consider  the  function  g  which  draws  a  hiddentext 
m  of  length  \K |2  from  V  and  has  the  output  distribution  (ciSE('K,m,£^  ,m).  Because  S 
is  SS-KHA-D-C  secure,  it  must  be  the  case  that  /(C4)  ~  g(Uk>)-  Thus  /  and  g  satisfy 
condition  (1)  from  definition  3.21. 

Now,  consider  Hs{dieE^K,m'e^)  versus  Hs(SE(K,m,  h ))  We  must  have  one  of  three 
cases: 

1.  Hs(ClSE{K’m’£)l)  >  Hs(SE(K,  m,  e));  in  this  case  the  program  that  samples  from 
C£  is  a  false  entropy  generator  and  we  are  done. 

2.  Hs(ClSE('K’m,£^)  <  Hs(SE(K,  m,  e));  in  this  case  SE  is  a  false  entropy  generator, 
and  again  we  are  done. 

3.  }{s(clSE(-K’ni'£^')  =  Hs(SE(K,  m,  e));  In  this  case,  we  have  that 

Hs(m\CleSE(K,m’£)l)  =  \K\2Hs(V)  , 

whereas 

Hs(m\SE(K,m,£))  <  (1  +  u)\K\ 

for  a  negligible  function  v.  To  see  that  this  is  the  case,  notice  that  m  = 
SD(K ,  SE(K,  m,  e))  and  so  is  determined  (up  to  a  negligible  probability)  by  K , 
and  Hg(K)  =  \K\.  Thus  asymptotically,  we  have  that  Hg(f(Uk))  >  Hg(g(Uk>)),. 
and  /  is  a  false  entropy  generator  relative  to  an  oracle  for  C. 


□ 

Corollary  3.24.  Relative  to  an  oracle  for  C,  secure  steganography  for  C  exists  if  and 
only  if  one-way  functions  exist. 

Proof.  The  corollary  follows  from  Theorem  3.23  and  the  results  of  Section  3.2  and  [33]. 

□ 
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3.3.2  Sampleable  Channels  are  necessary 


We  say  that  a  channel  C  is  efficiently  sampleable  if  there  exists  an  algorithm  C  such 
that  for  any  polynomial  time  A,  for  any  polynomial  /, 


Pr  U(l‘,C(M‘,f4))]-  Pr  M(1\CJ] 

h< — Ce  ^  h.^C£{  ) 

is  negligible  in  k.  Notice  that  for  any  efficiently  sampleable  channel  C ,  the  results  of 
the  previous  sections  prove  that  secure  steganography  with  respect  to  C  exists  if  and 
only  if  one-way  functions  exist  in  the  standard  model  -  e.g.,  without  assuming  oracle 
access  to  the  channel  C.  Here  we  will  introduce  a  very  weak  notion  of  security  with 
respect  to  C  and  show  that  if  secure  steganography  exists  for  C  in  the  standard  model, 
then  C  is  efficiently  sampleable. 

A  weaker  attack  yet  than  the  KHA  attack  is  the  Known  Distribution  Attack  game: 
In  a  Z-KDA  attack  against  distribution  V,  the  adversary  is  given  a  history  h  of  length 
/,  and  a  sequence  of  documents  s  G  D \SE(K’v’h')\.  The  adversary’s  task  is  to  decide 
whether  s  <—  Ch  or  s  SE(K,V,  h ).  We  define  the  KDA-advantage  of  W  by 


Advkda-® 


l )  — 


Pr  [W(SE(K,m,  h))  =  1]  -  Pr  \W(Ci)  =  1] 

-C*  ,m<— h^Cle 


and  say  that  S  is  secure  against  known  distribution  attack  with  respect  to  T>  and  C 
(SS-KDA-D-C)  if  for  every  PPT  W,  for  all  polynomially-bounded  l,  Adv^df'^(k,  l(k)) 
is  negligible  in  k.  This  attack  is  weaker  yet  than  a  KHA  attack  in  that  the  length  of 
the  hiddentext  is  shorter  and  the  hiddentext  is  unknown  to  W. 


Theorem  3.25.  If  there  exists  an  efficiently  sampleable  V  such  that  there  is  a  SS- 
KDA -D-C  secure  stegosystem  S  in  the  standard  model,  then  C  is  efficiently  sampleable. 


Proof.  Consider  the  program  C5  with  the  following  behavior:  on  input  (1  k,h),  C5  picks 
K  <—  {0,  l}fc,  picks  m  T> ,  and  returns  the  first  document  of  S.Encode(K,m,h). 
Consider  any  PPT  distinguisher  A.  We  will  that  the  KDA  adversary  W  which  passes 
the  first  document  of  its  input  to  A  and  outputs  A’s  decision  has  at  least  the  advantage 
of  A.  This  is  because  in  case  W' s  input  is  drawn  from  SE,  the  input  it  passes  to  A 
is  exactly  distributed  according  to  Cs(lfc,  /i);  and  when  W s  input  is  drawn  from  Ch , 
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the  input  it  passes  to  A  is  exactly  distributed  according  to  C}{. 

Ad  \h\)  =  I  Pr  [W(SE(K,m,  h))  =  1]  -  Pr  [W(Ch)  =  1]| 

=  |Pr[A(lfc,C5(lfe,h))  =  1]  -Pr[A(lfcA)  =  1]|  . 

But  because  S  is  SS-KDA-D-C  secure,  we  know  that  W’ s  advantage  must  be  negligible, 
and  thus  no  efficient  A  can  distinguish  this  from  the  hrst  document  drawn  from 
CjSE(K.'D.h)\ .  the  ou^pU^  Qf  js  computationally  indistinguishable  from  C.  □ 

As  a  consequence  of  this  theorem,  if  a  designer  is  interested  in  developing  a 
stegosystem  for  some  channel  C  in  the  standard  model,  he  can  focus  exclusively  on 
designing  an  efficient  sampling  algorithm  for  C.  If  his  stegosystem  is  secure,  it  will 
include  one  anyway;  and  if  he  can  design  one,  he  can  “plug  it  in”  to  the  constructions 
from  section  3.2  and  get  a  secure  stegosystem  based  on  “standard”  assumptions. 
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Chapter  4 


Public-Key  Steganography 


The  results  of  the  previous  chapter  assume  that  the  sender  and  receiver  share  a  secret, 
randomly  chosen  key.  In  the  case  that  some  exchange  of  key  material  was  possible 
before  the  use  of  steganography  was  necessary,  this  may  be  a  reasonable  assumption. 
In  the  more  general  case,  two  parties  may  wish  to  communicate  steganographically, 
without  prior  agreement  on  a  secret  key.  We  call  such  communication  public  key 
steganography.  Whereas  previous  work  has  shown  that  symmetric-key  steganography 
is  possible  -  though  inefficient  -  in  an  information-theoretic  model,  public  steganog¬ 
raphy  is  information-theoretically  impossible.  Thus  our  complexity-theoretic  formu¬ 
lation  of  steganographic  secrecy  is  crucial  to  the  security  of  the  constructions  in  this 
chapter. 

In  Section  4.1  we  will  introduce  some  required  basic  primitives  from  the  theory 
of  public-key  cryptography.  In  Section  4.2  we  will  give  definitions  for  public-key 
steganography  and  show  how  to  use  the  primitives  to  construct  a  public-key  stegosys- 
tem.  Finally,  in  Section  4.3  we  introduce  the  notion  of  steganographic  key  exchange 
and  give  a  construction  which  is  secure  under  the  Integer  Decisional  Diffi e-Hcllman 
assumption. 
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4.1  Public  key  cryptography 


Our  results  build  on  several  well-established  cryptographic  assumptions  from  the  the¬ 
ory  of  public-key  cryptography.  We  will  briefly  review  them  here,  for  completeness. 

Integer  Decisional  Diffie-Hellman. 

Let  P  and  Q  be  primes  such  that  Q  divides  P  —  1,  let  Zp  be  the  multiplicative 
group  of  integers  modulo  P,  and  let  g  G  Zp  have  order  Q.  Let  A  be  an  adversary 
that  takes  as  input  three  elements  of  Zp  and  outputs  a  single  bit.  Define  the  DDH 
advantage  of  A  over  ( g,P,Q )  as:  Adv^h(g,  P,  Q)  =  \  Pr a)b[A(ga,  gb,  gab,  g,  P,Q)  = 
1]  —  Pr a^c[A(ga,  gb,  gc,  g,  P,  Q)  =  1]  | ,  where  a,b,c  are  chosen  uniformly  at  random 
from  TLq  and  all  the  multiplications  are  over  Zp.  The  Integer  Decisional  Diffie-Hellman 
assumption  (DDH)  states  that  for  every  PPT  A,  for  every  sequence  {(Pk,  Qk,  9k)}k 
satisfying  \Pk\  =  k  and  \Qk\  =  O(k),  Ad v^h(gk,  Pk,  Qk)  is  negligible  in  k. 

Trapdoor  One-way  Permutations. 

A  trapdoor  one-way  permutation  family  n  is  a  sequence  of  sets  {nfc}fc,  where  each 
is  a  set  of  bijective  functions  n  :  {0,  l}fc  — >  {0,  l}k,  along  with  a  triple  of  algorithms 
(■ G ,  E,  I).  G( lk)  samples  an  element  it  e  along  with  a  trapdoor  r;  E(ir,  x )  evaluates 
n(x)  for  x  G  {0,  l}fc;  and  I(r,y)  evaluates  7r_1(r/).  For  a  PPT  A  running  in  time  t(k), 
denote  the  advantage  of  A  against  n  by 

AdvnWA(*0  =  Pr  [A(tt(x))  =  x]  . 

(ir,T)^G(lk),x^Uk 

Dehne  the  insecurity  of  n  by  InSeCnw(t,  k)  =  max^^j)  { Adv°™A(/c)},  where  A(t) 
denotes  the  set  of  all  adversaries  running  in  time  t(k).  We  say  that  n  is  a  trap¬ 
door  one-way  permutation  family  if  for  every  probabilistic  polynomial-time  (PPT)  A, 
Adv^A(A;)  is  negligible  in  k. 
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Trapdoor  one-way  predicates 


A  trapdoor  one-way  predicate  family  P  is  a  sequence  (Pfc}fc,  where  each  Pk  is  a  set  of 
efficiently  computable  predicates  p  :  Dp  — >  {0, 1},  along  with  an  algorithm  G(lk )  that 
samples  pairs  ( p ,  Sp )  uniformly  from  P*,;  Sj,  is  an  algorithm  that,  on  input  b  G  {0, 1} 
samples  a:  uniformly  from  Dp  subject  to  p(x)  =  b.  For  a  PPT  A  running  in  time  t(k), 
denote  the  advantage  of  A  against  P  by 


Adv^tP) 

Define  the  insecurity  of  P  by 


Pr 

( p,Sp)^G(lk),x^Dp 


[A(x,Pp)  =p(x)  . 


InSeCp  (t,  k)  =  max  ({Ad vp%0)}  » 

where  Aft)  denotes  the  set  of  all  adversaries  running  in  time  t(k).  We  say  that  P  is  a 
trapdoor  one-way  predicate  family  if  for  every  probabilistic  polynomial-time  (PPT) 
A,  AdvpA(A;)  is  negligible  in  k. 

Notice  that  one  way  to  construct  a  trapdoor  one-way  predicate  is  to  utilize  the 
Goldreich-Levin  hard-core  bit  [28]  of  a  trapdoor  one-way  permutation.  That  is,  for  a 
permutation  family  II,  the  associated  trapdoor  predicate  family  Pn  works  as  follows: 
the  predicate  pn  has  domain  Dom( n)  x  {0,  l}fc,  and  is  defined  by  p(x,  r)  =  7r_1(a;)  •  r, 
where  •  denotes  the  vector  inner  product  on  GF{2)k.  [28]  prove  that  there  exist 

polynomials  such  that  InSeCp^ (t,  k )  <  poly (InSec™ (poly (t),  k )). 


4.1.1  Pseudorandom  Public-Key  Encryption 

We  will  require  public-key  encryption  schemes  that  are  secure  in  a  slightly  non- 
standard  model,  which  we  will  denote  by  IND$-CPA  in  contrast  to  the  more  standard 
IND-CPA.  The  main  difference  is  that  security  against  INDS-CPA  requires  the  output 
of  the  encryption  algorithm  to  be  indistinguishable  from  uniformly  chosen  random 
bits,  whereas  IND-CPA  only  requires  the  output  of  the  encryption  algorithm  to  be 
indistinguishable  from  encryptions  of  other  messages. 

Formally,  a  public-key  (or  asymmetric)  cryptosystem  £  consists  of  three  (random¬ 
ized)  algorithms: 
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•  £. Generate  :  lk  — >  VK.k  x  5/Cfc  generates  (public,  secret)  key  pairs  ( PK,SK ). 
We  will  abbreviate  £.Generate(lfc)  by  G(lfc),  when  it  is  clear  which  encryption 
scheme  is  meant. 

•  £. Encrypt  :  VIC  x  {0, 1}*  — >  {0, 1}*  uses  a  public  key  to  transform  a  plaintext 
into  a  ciphertext.  We  will  abbreviate  £. Encrypt (PK,  •)  by  EPK(-). 

•  £. Decrypt  :  SIC  x  {0,1}*  — >  {0,1}*  uses  a  secret  key  to  transform  a  cipher- 
text  into  the  corresponding  plaintext.  We  will  abbreviate  £. Decrypt (SK,  •)  by 
Dsk(-). 


Such  that  for  all  key  pairs  ( PK,SK )  G  G(lfc),  Decrypt (5A',  Encrypt  (PAT,  m))  =  m. 

To  formally  dehne  the  security  condition  for  a  public-key  encryption  scheme,  con¬ 
sider  a  game  in  which  an  adversary  A  is  given  a  public  key  drawn  from  G(lfc)  and 
chooses  a  message  Then  A  is  given  either  Epx{mA)  or  a  uniformly  chosen  string 
of  the  same  length.  Let  A(t,l)  be  the  set  of  adversaries  A  which  produce  a  message 
of  length  at  most  l(k)  bits  and  run  for  at  most  t(k)  time  steps.  Dehne  the  IND$-CPA 
advantage  of  A  against  £  as 


AdWPAO) 


Pr\A(PK,EPK(mA))  =  1]  -  Pr  [A(PK,  U\EpK{mA)\)  =  1] 


Dehne  the  insecurity  of  £  as  InSec^.pa(t,  /,  k)  =  rnaxA£A{t,i)  |Adv£A(^)}  •  ^  ^  e) 

-  indistinguishable  from  random  bits  under  chosen  plaintext  attack  if  InSec^.pa(t,  /,  k)  < 
e(k).  £  is  called  indistinguishable  from  random  bits  under  chosen  plaintext  attack 
(IND$-CPA)  if  for  every  probabilistic  polynomial-time  (PPT)  A,  Adv^(/c)  is  negli¬ 
gible  in  k.  We  show  how  to  construct  IND$-CPA  public-key  encryption  schemes  from 
a  variety  of  well-established  cryptographic  assumptions. 

INDS-CPA  public- key  encryption  schemes  can  be  constructed  from  any  primitive 
which  implies  trapdoor  one-way  predicates  p  with  domains  Dp  satisfying  one  of  the 
following  conditions: 


•  Dp  is  computationally  or  statistically  indistinguishable  from  {0, 1  }P°b(fc) :  jn  this 
case  it  follows  directly  that  encrypting  the  bit  b  by  sampling  from  p^1(6)  yields 
an  INDS-CPA  scheme.  The  results  of  Goldreich  and  Levin  imply  that  such 
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predicates  exist  if  there  exist  trapdoor  one-way  permutations  on  {0,  l}fc,  for 
example. 

•  Dp  has  an  efficiently  recognizable,  polynomially  dense  encoding  in  {0, 1  jpoMW 
in  this  case,  we  let  q(-)  denote  the  polynomial  such  that  every  Dp  has  den¬ 
sity  at  least  l/q[k).  Then  to  encrypt  a  bit  b,  we  draw  £  =  kq{k)  samples 
di, . . .  ,d(  <—  Upoiy(k );  let  i  be  the  least  i  such  that  d*  G  Dp ;  then  transmit 
di, . . .  ,  dj_i,p_1(6),  di+i, ...  ,d(.  (This  assumption  is  similar  to  the  requirement 
for  common-domain  trapdoor  systems  used  by  [19],  and  all  (publicly-known) 
public-key  encryption  systems  seem  to  support  construction  of  trapdoor  predi¬ 
cates  satisfying  this  condition.) 

Stronger  assumptions  allow  construction  of  more  efficient  schemes.  Here  we  will 
construct  schemes  satisfying  IND$-CPA  under  the  following  assumptions:  trapdoor 
one-way  permutations  on  (0,l}fc,  the  RSA  assumption,  and  the  Decisional  Diffie- 
Hellman  assumption.  Notice  that  although  both  of  the  latter  two  assumptions  imply 
the  former  through  standard  constructions,  the  standard  constructions  exhibit  con¬ 
siderable  security  loss  which  can  be  avoided  by  our  direct  constructions. 


4.1.2  Efficient  Probabilistic  Encryption 

The  following  “EPE”  encryption  scheme  is  described  in  [30],  and  is  a  generalization 
of  the  protocol  given  by  [13].  When  used  in  conjunction  with  a  family  of  trapdoor 
one-way  permutations  on  domain  {0,  l}fc,  it  is  easy  to  see  that  the  scheme  satisfies 

IND$-CPA: 

Construction  4.1.  (EPE  Encryption  Scheme) 


Procedure  Encrypt: 

Input:  m  G  (0, 1}*,  tOWP  7 r 
Sample  xq  ,  r  £4 
let  /  =  |m| 
for  i  —  1 ...  I  do 
set  bi  =  Xi_  i  ©  r 
set  Xi  =  f(xi- 1) 

Output:  xi,r,b(&m 


Procedure  Decrypt: 

Input:  ( x,r,c ),  trapdoor  7r_1 
let  l  —  |c|,  Xi  —  x 
for  i  =  l ...  1  do 

set  x^ i  =  n^^Xi) 
set  bi  =  Xi- 1  ©  r 
Output:  c  ©  b 
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INDS-CPA  -ness  follows  by  the  pseudorandomness  of  the  bit  sequence  b\, . . .  ,bi 
generated  by  the  scheme  and  the  fact  that  xi  is  uniformly  distributed  in  {0,  l}k . 


RSA-based  construction 

The  RSA  function  ENe{x)  =  xe  mod  N  is  believed  to  be  a  trapdoor  one-way  permu¬ 
tation  family  when  N  is  selected  as  the  product  of  two  large,  random  primes.  The 
following  construction  uses  Young  and  Yung’s  Probabilistic  Bias  Removal  Method 
(PBRM)  [65]  to  remove  the  bias  incurred  by  selecting  an  element  from  Z*N  rather 
than  Uk- 

Construction  4.2.  (RSA-based  Pseudorandom  Encryption  Scheme) 


Procedure  Encrypt: 

Input:  plaintext  m;  public  key  N,  e 

let  k  =  |iV|,  l  =  \m\ 

repeat: 

Sample  xq  <—  Z*N 
for  i  =  1 . . .  I  do 

set  bi  =  mod  2 

set  Xi  =  x\_x  mod  N 

sample  c  <—  U\ 

until  (xi  <  2k  —  N)  OR  c  =  1 
if  (xi  <2 k  —  N)  and  c  =  0  set  x'  =  x 

if  (xi  <2 k  —  N)  and  c  =  1  set  x'  =  2fc  —  x 

Output:  x' ,  b  ©  rri 


Procedure  Decrypt: 

Input:  x',  c;  (. N ,  d) 
let  l  =  |c|,  k  =  \N\ 
if  (x'  >  N )  set  xi  =  x' 
else  set  xi  =  2k  —  x' 
for  %  =  l ...  1  do 

set  x^ i  =  xf  mod  N 
set  bi  =  Xi- 1  mod  2 
Output:  c  ©  b 


The  INDS-CPA  security  of  the  scheme  follows  from  the  correctness  of  PBRM  and  the 
fact  that  the  least-significant  bit  is  a  hardcore  bit  for  RSA.  Notice  that  the  expected 
number  of  repeats  in  the  encryption  routine  is  at  most  2. 


DDH-based  construction 

Let  £'(.)(•),  £>(.)(•)  denote  the  encryption  and  decryption  functions  of  a  private-key 
encryption  scheme  satisfying  INDS-CPA,  keyed  by  /v-bit  keys,  and  let  k  <  k/3.  (We 
give  an  example  of  such  a  scheme  in  Chapter  2.)  Let  Tik  be  a  family  of  pairwise- 
independent  hash  functions  H  :  {0,l}fc  — »  {0, 1}K.  We  let  P  be  a  k- bit  prime  (so 
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2fc_1  <  P  <  2k),  and  let  P  =  rQ  +  1  where  (r,  Q)  —  1  and  Q  is  also  a  prime.  Let  g 
generate  Zp  and  g  =  gr  mod  P  generate  the  unique  subgroup  of  order  Q.  The  security 
of  the  following  scheme  follows  from  the  Decisional  Diffie-Hellman  assumption,  the 
leftover-hash  lemma,  and  the  security  of  ( E,D ): 

Construction  4.3.  DDHRand  Public-key  cryptosystem. 


Procedure  Encrypt: 

Input:  me  {0,1}*;  (g,gx,P) 

Sample  H  7 ~ik 

repeat: 

Sample  y  *—  Zp_i 
until  ( gy  mod  P)  <  2k~ 1 
set  K  =  H((gx)y  mod  P ) 
Output:  H,  gy ,  EK(m) 


Procedure  Decrypt: 

Input:  (H,  s,  c )  ;  private  key  (x,P,Q) 
let  r  =  (P  —  1  )/Q 
set  K  =  H(srx  mod  P ) 

Output:  Dk{c ) 


The  security  proof  considers  two  hybrid  encryption  schemes:  H\  replaces  the  value 
( ga)b  by  a  random  element  of  the  subgroup  of  order  Q ,  gc,  and  H2  replaces  K  by 
a  random  draw  from  {0, 1}K.  Clearly  distinguishing  H2  from  random  bits  requires 
distinguishing  some  EK(m)  from  random  bits.  The  Leftover  Hash  Lemma  gives  that 
the  statistical  distance  between  H2  and  Hi  is  at  most  2~K.  Thus 

Ad v{[1,$(/c)  <  InSeCpa(t,  \k\)  +  2~K  . 


Finally,  we  show  that  any  distinguisher  A  for  H\  from  the  output  of  Encrypt  with 
advantage  e  can  be  used  to  construct  a  distinguisher  B  that  solves  the  DDH  problem 
with  advantage  at  least  e/2.  B  takes  as  input  a  triple  ( gx,gy,gz )  and  attempts  to 
decide  whether  z  =  xy,  as  follows.  First,  B  computes  r  as  the  least  integer  such  that 
rr  =  1  mod  Q,  and  then  picks  (3  Zr.  Then  B  computes  s  =  (gy)rg13® .  If  s  >  2fc~1, 
B  outputs  0.  Otherwise,  B  submits  gx  to  A  to  get  the  message  mi,  draws  H  <—  Tik, 
and  outputs  the  decision  of  A(gx,  H\\s\\EH^z^mA))-  We  claim  that: 

•  The  element  s  is  a  uniformly  chosen  element  of  Z *P,  when  y  Z q.  To  see 

that  this  is  true,  observe  that  the  exponent  of  s,  £  =  rry  +  / 3Q ,  is  congruent  to 
y  mod  Q  and  (3Q  mod  r;  and  that  for  uniform  /3,  (3Q  is  also  a  uniform  residue 
mod  r.  By  the  Chinese  remainder  theorem,  there  is  exactly  one  element  of  ZrQ  = 
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Zp_i  that  satisfies  these  conditions,  for  every  y  and  (3.  Thus  s  is  uniformly 
chosen. 

•  B  halts  and  outputs  0  with  probability  at  most  \  over  input  and  random  choices; 
and  conditioned  on  not  halting,  the  value  s  is  uniformly  distributed  in  {0,  l}fc. 
This  is  true  because  2 k/P  <  by  assumption. 

•  When  z  =  xy,  the  input  H\\s\\EH^{mA))  is  selected  exactly  according  to  the 
output  of  Encrypt (gx,  tua).  This  is  because 

(gxy  —  fgrry+pQyx 

—  g(aQ+l)rxy+rQ(f3x) 

=  grxy  =  gz 

•  When  z  ^  xy ,  the  input  H\\s\\EH^(mA))  is  selected  exactly  according  to  the 
output  of  Hi,  by  construction. 


Thus, 

Pr[ B(r,g\gI“)  =  1]  =  J  Pr[A(r,Encrypt(r,™.4))  =  1]  , 

and 

Pr [B(r,g\r)  =  1]  =  jPr[A(gx,Hi{mA))  =  1]  . 

And  thus  AdvdJh  (g ,  P,  Q)  >  |e.  Thus,  we  have  that  overall, 

InSeCnDHRandfb  l,  k)  <  InSec dgdp,Q(t,  k )  +  InSeC(PaD)t,  l,l,k  +  2~K  . 


4.2  Public  key  steganography 

We  will  first  give  definitions  of  public-key  stegosystems  and  security  against  chosen- 
hiddentext  attack,  and  then  give  a  construction  of  a  public-key  stegosystem  to  demon¬ 
strate  the  feasibility  of  these  notions.  The  construction  is  secure  assuming  the  exis¬ 
tence  of  a  public-key  I ND$- CPA-secure  cryptosystem. 
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4.2.1  Public- key  stegosystems 

As  with  the  symmetric  case,  we  will  first  define  a  stegosystem  in  terms  of  syntax  and 
correctness,  and  then  proceed  to  a  security  definition. 

Definition  4.4.  (Stegosystem)  A  public-key  stegosystem  S  is  a  triple  of  probabilistic 
algorithms: 

•  S. Generate  takes  as  input  a  security  parameter  lk  and  generates  a  key  pair 
( PK ,  SK)  E  VIC  x  SIC.  When  it  is  clear  from  the  context  which  stegosystem 
we  are  referring  to,  we  will  abbreviate  S. Generate  by  SG. 

•  S. Encode  (abbreviated  SE  when  S  is  clear  from  the  context)  takes  as  input 
a  public  key  PK  E  VIC,  a  string  m  E  (0, 1}*  (the  hiddentext) ,  and  a  message 
history  h.  As  with  the  symmetric  case,  we  will  also  assume  for  our  feasibility 
results  that  SE  has  access  to  a  channel  oracle  for  some  channel  C,  which  can 
sample  from  Ch  for  any  h. 

SE(PK,  m,  h )  returns  a  sequence  of  documents  si,  s2, . . .  ,  si  (the  stegotext)  from 
the  support  of  Clh. 

•  S. Decode  (abbreviated  SD)  takes  as  input  a  secret  key  SK  E  SIC ,  a  sequence 
of  documents  si,  S2,  ■  ■  ■  ,si,  and  a  message  history  h. 

SD(SIC,s,  h )  returns  a  hiddentext  m  E  (0, 1}*. 

As  in  the  private  key  case,  we  will  also  require  that  a  public-key  stegosystem  is 
correct: 

Definition  4.5.  (Correctness)  A  public-key  stegosystem  S  is  correct  if  for  every  poly¬ 
nomial  p(k)  there  exists  a  negligible  u(k)  such  that 

Vm  E  {0,  l}p{k\  hED*  :  Pr  [SD(SK,  SEiPK,  m,  h),  h)  =m\>  1  -  Kk) 

{PK,SK)<-SG(  lfc) 

where  the  randomization  is  also  over  any  coin  tosses  of  SE,  SD,  SG  and  the  oracle 
to  Ch. 
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Remark.  While  in  general  Alice  will  need  to  remember  the  history  of  documents 
transmitted  to  Bob,  it  is  most  desirable  if  Bob  is  not  required  to  store  the  history  of 
documents  he  has  received  from  Alice.  Some  of  our  protocols  require  Bob  to  store 
this  history,  but  it  is  straightforward  to  rewrite  them  so  that  Bob  need  only  remember 
a  collision-intractable  digest  of  the  history.  In  this  paper  we  are  not  concerned  with 
attacks  in  which  Ward  attempts  to  disrupt  the  communication  between  Alice  and 
Bob,  so  the  dependence  of  decoding  on  accurate  history  is  chiefly  a  storage  concern. 


4.2.2  Steganographic  Secrecy  against  Chosen  Hiddentext  At¬ 
tack 


In  a  chosen  hiddentext  attack,  W  is  allowed  to  supply  hiddentexts  to  Alice,  in  hopes 
of  detecting  whether  or  not  she  is  using  steganography  in  her  communications  with 
Bob.  (Note  that  a  chosen  hiddentext  attack  is  the  steganographic  equivalent  of  a 
chosen  plaintext  attack  against  an  encryption  scheme.) 

We  will  model  a  warden  attacking  a  stegosystem  as  an  efficient  oracle  machine 
which  plays  the  following  game.  First,  a  pair  ( PK ,  SK)  is  drawn  from  SG(lk)  and  W 
is  allowed  to  access  PK  and  sample  from  Ch  for  any  history  h,  to  produce  a  message 
rriw  and  a  history  hw.  Then  W  is  given  access  to  a  sequence  s  G  D*,  which  is  drawn 
either  from  SE(PK,mw,  hw)  or  C^\  and  continues  to  access  Ch  for  any  history  h 
(This  oracle  allows  W  to  learn  the  covertext  distribution  on  all  communications). 
Finally  W  outputs  a  bit  which  is  a  “guess”  about  whether  s  is  a  stegotext  or  a 
covertext. 

We  define  the  CHA  advantage  of  W  against  stegosystem  S  over  channel  C  by 


Adv 


cha 

S,C,W 


C k ) 


Pr [W(PK,  s)  =  1]  -  Pr [W(PK,  C^)  =  1]  , 


where  the  probabilities  are  taken  over  ( PK,SK )  SG( lk),  (mw,hw)  W^PK), 
s  <—  SE(PK,mw,hw ),  the  random  bits  of  W  and  the  responses  of  the  oracle  C. 
Define  the  insecurity  of  S  over  channel  C  by 


InSec^(f,  /,  k) 


max  (Advch^  w(h)\  , 
wew(t,i)  1  ‘S’C,H  v  n 
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where  W(t,  l)  denotes  the  set  of  all  adversaries  which  choose  a  message  of  length  at 
most  l[k )  bits,  and  run  in  time  at  most  t{k). 

Thus,  S  is  secure  against  chosen-hiddentext  attacks  if  the  warden,  even  given 
Bob’s  public  key,  cannot  tell  whether  Alice’s  message  to  Bob  encodes  any  hiddentext 
at  all,  even  one  of  his  choice. 


4.2.3  Construction 

Our  protocols  build  on  the  following  construction,  a  generalization  of  construction  3.18. 
Let  /  :  D  — »  {0, 1}  be  a  public  function  (recall  that  C  is  a  distribution  on  sequences 
of  elements  of  D).  If  /  is  is  perfectly  unbiased  on  Ch  for  all  h,  then  the  following  en¬ 
coding  procedure,  on  uniformly  distributed  l- bit  input  c,  produces  output  distributed 
exactly  according  to  Clh: 

Construction  4.6.  (Basic  encoding/decoding  routines) 


Procedure  Basic  Encode: 

Input:  bits  Ci, . . .  ,  q,  history  h,  bound  k 
for  i  =  1 . . .  /  do 
Let  j  —  0 
repeat: 

sample  s*  <—  Ch,  increment  j 
until  f(si)  =  Ci  OR  (j  >  k ) 
set  h  =  (, h , 

Output:  si,  s2,  ■  ■  ■  ,si 


Procedure  Basic  Decode: 

Input:  Stegotext  si,  s2,  ■  ■  ■  ,si 
for  i  =  1 . . .  I  do 
set  Ci  =  f(si ) 
set  c  =  ci 1 1 c2 1 1  •  •  •  |  |q. 

Output:  c 


Note  that  for  infinitely  many  Ch  there  is  no  perfectly  unbiased  function  /.  As  with 
construction  3.18,  this  can  be  rectified  by  using  a  (global)  universal  hash  function. 


Lemma  4.7.  Any  channel  C  which  is  always  informative  can  be  compiled  into  a 
channel  which  admits  an  efficiently  computable  function  /  such  that  for  any 
polynomial-length  sequence  hi, . . .  ,  hn  satisfying  Pr c[hi\  ^  0,  Pr[/(C^)  =  1]  —  ^ 
negligible  in  k  for  all  1  <  i  <  n. 


is 


Proof.  Let  l(k)  =  cu(log  k).  Then  the  channel  C ^  is  simply  a  distribution  on  sequences 
of  documents  which  are  elements  of  D and  the  marginal  distributions  C ^  are 
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simply  C\\k\  Because  C  is  always  informative,  we  have  that  for  any  h  which  has 
non-zero  probability,  H^iC^)  =  a; (log  A;). 

Let  hi,  h,2, ...,  hrn  be  any  sequence  of  histories  which  all  have  non-zero  probability 
under  Cfc)  and  let  /  :  {0,  x  D  x  {0, 1}  be  a  universal  hash  function.  Let 

Y,  Z  <—  Um(k),B  Um,  and  Di  <—  .  Let  L{k)  =  min*  H^Df),  and  note  that 

L(k )  =  a;  (log  k).  Then  the  Leftover  Hash  Lemma  ([33])  implies  that 

A ({YJY(D1),...t  fY(Dm)),  ( Y,B ))  <  m2-1<t>/2+i  , 

from  which  it  is  immediate  that  if  we  choose  Y  «—  Um^)  once  and  publicly,  then  for  all 
1  <  i  <  m,  fy  will  have  negligible  bias  for  C}H  except  with  negligible  probability.  □ 

Lemma  4.8.  If  /  is  e-biased  on  Ch  for  all  h,  then  for  any  k  and  si,  S2, . . .  ,  sf. 

A(Basic_Encode(t/;,  h,  k),  Clh)  <  el  . 

Proof.  To  see  that  this  is  so,  imagine  that  the  ith  bit  of  the  input  to  Basic_Encode, 
<y,  was  chosen  so  that  Pr[cj  =  0]  =  Pr [fiC-hf)  =  0].  In  this  case  the  the  Th  document 
output  by  Basic_Encode  will  come  from  a  distribution  identical  to  C/,( .  But  since 
A(cj,  U\)  <  e,  it  must  be  the  case  that  A(sj,C/l;)  <  e  as  well,  by  proposition  2.4. 
The  statistical  distance  between  the  entire  sequences  must  then  be  at  most  el,  by  the 
triangle  inequality.  □ 

Using  these  lemmata,  we  will  show  that  public-key  steganography  is  possible  in  any 
channel  that  is  always  informative.  We  note  that  procedure  Basic_Encode  has  a  small 
probability  of  failure:  Basic_Decode(Basic_Encode(c,  h,  k))  might  not  equal  c.  This 
probability  of  failure,  however,  is  negligible  in  k. 

4.2.4  Chosen  Hiddentext  security 

Let  Epk(-)  and  Dsk(')  denote  the  encryption  and  decryption  algorithms  for  a  public- 
key  cryptosystem  S  which  is  indistinguishable  from  random  bits  under  chosen  plain¬ 
text  attack  (IND$-CPA).  Let  £  be  the  expansion  function  of  S,  i.e.,  \EPK{rn)  =  £{\m\). 
The  following  procedures  allow  encoding  and  decoding  of  messages  in  a  manner  which 
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is  steganographically  secret  under  chosen  hiddentext  attack  for  the  channel  distribu¬ 
tion  C: 

Construction  4.9.  (Chosen  Hiddentext  Security) 

Procedure  CHA_Encode:  Procedure  CHA_Decode: 

Input:  m  G  {0, 1}*,  h  €  D* ,  key  PK  Input:  Si, . . .  ,  Si  G  Dl,  secret  key  SK 
Let  c  =  EpK{m)  Let  c  =  Basic_Decode(si, ...  ,Si) 

Output:  Basic_Encode(c,  h,  k)  Output:  DSk(c ) 

Lemma  4.10.  Assume  /  is  e-biased  on  Ch  for  all  h.  For  any  warden  XV  G  W(t,l ), 
we  can  construct  an  INDS-CPA  adversary  A  where 

Advcnl c,w(k)  <  Adv£^(fc)  +  Kl)e- 

The  running  time  of  A  is  at  most  t  +  0(kl )  (. k  is  the  security  parameter  of  (PK,  SK) 
and  is  used  as  a  bound  for  Basic_Encode),  and  A  makes  q  encryption  queries  for  a 
total  of  /  bits  of  plaintext. 

Proof.  We  are  given  a  program  W  for  distinguishing  between  the  output  of  Con¬ 
struction  4.9  and  the  ordinary  traffic  of  the  channel,  and  an  oracle  for  sampling 
blocks  from  that  channel.  We  construct  a  program  A  which  plays  the  INDS-CPA 
game:  distinguishing  Epx(;mw)  oracle  from  £/qq.  A(PK)  simply  runs  W (PK),  to 
get  (mw,  hw)  and  returns  rriw  for  tha-  Then  A(PK,  c)  uses  the  oracle  Ch  to  compute 
s  =  Basic_Encode(c,  hw,  k),  and  returns  the  output  of  W (PK,  s).  Consider  the  cases 
for  A’s  input. 

•  If  c  <—  EPK(mw),  then  .s  <—  CHA_Encod e(PK,m,w,  hw)',  so  we  have 

Pr [A(PK,EPK(mA))  =  1]  =  Pr [W(PK,  SE(PK,mw,hw))  =  1]  • 

•  If  c  <—  Ue,  then  s  is  distributed  identically  to  Basic_Encode(C4,  hw,  k)]  thus 

|Pr [A(PK,  Ue)  =  1]  -  Pr [XV (PK,  CehJ  =  1]  |  <  £e 

by  lemma  4.8. 
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Combining  the  cases,  we  have 

Ad v^lc,w(k)  =  lPr [W(PK,SE(PK,mw,hw))  =  1]  -  Pr [W(PK,C*w)  =  1] | 

<  |  Pr [W(PK,  SE{PK ,  mw,  hw))  =  1]  -  Pr[A(PK,  Ue)  =  1]  |  +  £(l)e 
=  \PY[A(PK,EPK(mA))  =  1]  -  Pr [A(PK,Ue)  =  1] |  +  £(l)e 
=  Adv^.pa(A,  k)  +  £{l)e  , 

as  claimed.  □ 

Theorem  4.11.  If  f  is  e-biased  on  Ch  for  all  h,  then 

InSec^aAC(t,  /,  k)  <  InSec c£pa(t  +  0(kl ),  /,  k)  +  £{l)e  . 

4.3  Steganographic  Key  Exchange 

In  many  cases  in  which  steganography  might  be  desirable,  it  may  not  be  possible  for 
either  Alice  or  Bob  to  publish  a  public  key  without  raising  suspicion.  In  these  cases,  a 
natural  alternative  to  public-key  steganography  is  steganographic  key  exchange:  Alice 
and  Bob  exchange  a  sequence  of  messages,  indistinguishable  from  normal  communi¬ 
cation  traffic,  and  at  the  end  of  this  sequence  they  are  able  to  compute  a  shared  key. 
So  long  as  this  key  is  indistinguishable  from  a  random  key  to  the  warden,  Alice  and 
Bob  can  proceed  to  use  their  shared  key  in  a  symmetric-key  stegosystem.  In  this 
section,  we  will  formalize  this  notion. 

Definition  4.12.  (Steganographic  Key  Exchange  Protocol)  A  steganographic  key  ex¬ 
change  protocol,  or  SKEP  S,  is  a  pair  of  efficient  probabilistic  algorithms: 

•  5.Encode_Key  (Abbreviated  SE):  takes  as  input  a  security  parameter  lfc  and  a 
string  of  random  bits.  SE{ lk,  U]f)  outputs  a  sequence  of  l[k)  documents. 

•  5.Compute_Key:  (Abbreviated  SD):  takes  as  input  a  security  parameter  lk, 
a  string  of  random  bits,  and  a  sequence  s  of  l(k)  documents.  SD(lk,  s,  t4) 
outputs  an  element  of  the  key  space  /C. 
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We  say  that  S  is  correct  if  these  algorithms  satisfy  the  property  that  there  exists  a 
negligible  function  fj,(k)  satisfying: 

Pr  [SD(lk,  r a,  SE(lk,  rb))  =  SD(lk ,  rb,  SE( lfc,  ra))]  >  1  -  »{k)  . 

ra,r  b 

We  call  the  output  of  SD(lk,ra,  SE(lk,  rb))  the  result  of  the  protocol,  and  denote  this 
result  by  Ske(t a,  fb)-  We  denote  by  S(lk,ra,rb )  the  triple  (SE(lk,  r0),  SE(lk,rb), 
Ske[t a,  rb)). 


Alice  and  Bob  perform  a  key  exchange  using  S  by  sampling  private  randomness 
ra,  rb,  asynchronously  sending  SE(lk,ra)  and  SE(lk,  rb )  to  each  other,  and  using  the 
result  of  the  protocol  as  a  key.  Notice  that  in  this  definition  a  SKEP  must  be  an 
asynchronous  single-round  scheme,  ruling  out  multi-round  key  exchange  protocols. 
This  is  for  ease  of  exposition  only. 

We  remark  that  many  authenticated  cryptographic  key  exchange  protocols  require 
three  flows  without  a  public-key  infrastructure.  Our  SKE  scheme  will  be  secure  with 
only  two  flows  because  we  won’t  consider  the  same  class  of  attackers  as  these  protocols; 
in  particular  we  will  not  worry  about  active  attackers  who  alter  the  communications 
between  Alice  and  Bob,  and  so  Difhe-Hcllman  style  two-flow  protocols  are  possible. 
This  may  be  a  more  plausible  assumption  in  the  SKE  setting,  since  an  attacker  will 
not  even  be  able  to  detect  that  a  key  exchange  is  taking  place,  while  cryptographic 
key  exchanges  are  typically  easy  to  recognize. 

Let  W  be  a  warden  running  in  time  t.  We  define  W s  SKE  advantage  against  S 
on  bidirectional  channel  B  with  security  parameter  k  by: 


Adv 


ske 

S,B,W 


(k) 


Pr  [W(S{lk,ra,rb))  =  1]  -  Pr [W(B,K)  =  1] 

ra,n  K 


We  remark  that,  as  in  our  other  definitions,  W  also  has  access  to  bidirectional  channel 
oracles  Ca,Cb. 


Let  lV(t)  denote  the  set  of  all  wardens  running  in  time  t.  The  SKE  insecurity  of 
S  on  bidirectiorial  channel  B  with  security  parameter  k  is  given  by  InSec s^eB(t,k)  = 
rriaxM/eW(i)  {  AdviSjg^(/c)}  . 


Definition  4.13.  (Secure  Steganographic  Key  Exchange)  A  SKEP  S  is  said  to  be 
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(t,  e)-secure  for  bidirectional  channel  B  if  InSec^  g(£,  k )  <  e{k).  S  is  said  to  be  secure 
for  B  if  for  all  PPT  adversaries  W,  Adv^  w(k)  is  negligible  in  k. 


4.3.1  Construction 

The  idea  behind  behind  the  construction  for  steganographic  key  exchange  is  simple: 
let  g  generate  Zp,  let  Q  be  a  large  prime  with  P  =  rQ  +  1  and  r  coprime  to  Q,  and 
let  g  =  gr  generate  the  subgroup  of  order  Q.  Alice  picks  random  values  a  G  Zp_i 
uniformly  at  random  until  she  finds  one  such  that  ga  mod  P  has  its  most  significant 
bit  (MSB)  set  to  0  (so  that  ga  mod  P  is  uniformly  distributed  in  the  set  of  bit  strings 
of  length  |P|  —  1).  She  then  uses  BasicfEncode  to  send  all  the  bits  of  ga  mod  P  except 
for  the  MSB  (which  is  zero  anyway).  Bob  does  the  same  and  sends  all  the  bits  of  gb 
mod  P  except  the  most  significant  one  (which  is  zero  anyway)  using  Basic_Encode. 
Bob  and  Alice  then  perform  Basic_Decode  and  agree  on  the  key  value  gab: 

Construction  4.14.  (Steganographic  Key  Exchange) 


Procedure  SKE_Encode: 

Input:  primes  P,Q,  h,  g  G  Zp 
repeat: 

sample  a  <—  U (Zp_i) 
until  MSB  of  ga  mod  P  equals  0 
Let  ca  =  all  bits  of  ga  except  MSB 
Output:  Basic_Encod e(ca,h,k) 


Procedure  SKE_Compute_Key: 

Input:  Stegotext  Si, . . .  ,  sf,  a  G  Zp_! 
Let  Cb  =  Basic_Decode(si, ...  ,si) 
Output:  c™  mod  P  =  gab 


Lemma  4.15.  Let  /  be  e-biased  on  B.  Then  for  any  warden  W  G  W(t),  we  can 
construct  a  DDH  adversary  A  where  Adv^dh((),  P,  Q)  >  f  AdvgkgBj/F(/e)  —  2 ke.  The 
running  time  of  A  is  at  most  t  +  0{k2). 


Proof.  A  takes  as  input  a  triple  (ga,gb,gc)  and  attempts  to  decide  whether  c  =  ab,  as 
follows.  First,  A  computes  r  as  the  least  integer  such  that  rr  =  1  mod  Q,  and  then 
picks  a,/3  <—  Zr.  Then  A  computes  ca  =  (ga)rga(d  and  cb  =  ( gb)rg ^ ■  If  ca  >  2fc_1 
or  Cb  >  2fc_1,  A  outputs  0.  Otherwise,  A  computes  sa  =  Basic_Encode(ca),  and 
Sb  =  Basic_Encode(cfe);  A  then  outputs  the  result  of  computing  W(sa,  Sb,  gc).  We 
claim  that: 
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•  The  element  ca,  Cb  are  uniformly  chosen  element  of  Zp,  when  a,  b  TLq.  To  see 
that  this  is  true,  observe  that  the  exponent  of  sa,  £a  =  rra  +  aQ,  is  congruent  to 
a  mod  Q  and  aQ  mod  r;  and  that  for  uniform  a,  aQ  is  also  a  uniform  residue 
mod  r.  By  the  Chinese  remainder  theorem,  there  is  exactly  one  element  of 
Zrg  =  Zp_i  that  satisfies  these  conditions,  for  every  a  and  a.  Thus  ca  is 
uniformly  chosen.  The  same  argument  holds  for  q>. 

•  B  halts  and  outputs  0  with  probability  at  most  |  over  input  and  random  choices; 
and  conditioned  on  not  halting,  the  values  ca,  Cb  are  uniformly  distributed  in 
{0,  \}k.  This  is  true  because  2 k / P  <  |,  by  assumption. 

•  The  sequence  (sa,  Sb)  is  2 ke  statistically  close  to  B.  This  follows  because  of 
Lemma  4.8. 

•  When  c  =  ab,  the  element  gc  is  exactly  the  output  of  SD(a,Sb )  =  SD(b,sa)- 
This  is  because 


C rb  _  /  rra+aQ  yrb 

=  ^('W+1)T'a6+r(3(ab) 

=  grab  =  r 

•  When  c  ^  ab,  the  input  H\\s\\EH^(mA))  is  selected  exactly  according  to  the 
output  of  Hi,  by  construction. 


Thus, 


and 


PrW, »*,»“*)  =  1]  =  Bp)  PrpV(S(o,6))  =  1]  , 
Pi iMg’,gb,gc)  =  i]  -  Pr[i v(b,k)  =  1] 


<  2 ke  . 


And  therefore  Ad vd^h(g,  P,Q)  >  -jAdv^  ^/c)  —  2 ke. 
Theorem  4.16.  If  f  is  e-biased  on  B,  then 


□ 


InSeCs^eE  B(t,  k)  <  4InSec^dpg(f  +  0(k2)))  +  8 ke  . 


ddh 
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Chapter  5 


Security  against  Active  Adversaries 


The  results  of  the  previous  two  chapters  show  that  a  passive  adversary  (one  who 
simply  eavesdrops  on  the  communications  between  Alice  and  Bob)  cannot  hope  to 
subvert  the  operation  of  a  stegosystem.  In  this  chapter,  we  consider  the  notion  of  an 
active  adversary  who  is  allowed  to  introduce  new  messages  into  the  communications 
channel  between  Alice  and  Bob.  In  such  a  situation,  an  adversary  could  have  two 
different  goals:  disruption  or  detection. 

Disrupting  adversaries  attempt  to  prevent  Alice  and  Bob  from  communicating 
steganographically,  subject  to  some  set  of  publicly-known  restrictions.  We  call  a 
stegosystem  which  is  secure  against  this  type  of  attack  robust.  In  this  chapter  we  will 
give  a  formal  definition  of  robustness  against  such  an  attack,  consider  what  type  of 
restrictions  on  an  adversary  are  necessary  (under  this  definition)  for  the  existence  of  a 
robust  stegosystem,  and  give  the  first  construction  of  a  provably  robust  stegosystem 
against  any  set  of  restrictions  satisfying  this  necessary  condition.  Our  protocol  is 
secure  assuming  the  existence  of  pseudorandom  functions. 

Distinguishing  adversaries  introduce  additional  traffic  between  Alice  and  Bob  in 
hopes  of  tricking  them  into  revealing  their  use  of  steganography.  We  consider  the 
security  of  symmetric-  and  public-key  stegosystems  against  active  distinguishes,  and 
give  constructions  that  are  secure  against  various  notions  of  active  distinguishing 
attacks.  We  also  show  that  no  stegosystem  can  be  simultaneously  secure  against  both 
disrupting  and  distinguishing  active  adversaries. 
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5.1  Robust  Steganography 


Robust  steganography  can  be  thought  of  as  a  game  between  Alice  and  Ward  in  which 
Ward  is  allowed  to  make  some  alterations  to  Alice’s  messages.  Ward  wins  if  he  can 
sometimes  prevent  Alice’s  hidden  messages  from  being  read;  while  Alice  wins  if  she 
can  pass  a  hidden  message  with  high  probability,  even  when  Ward  alters  her  public 
messages.  For  example,  if  Alice  passes  a  single  bit  per  document  and  Ward  is  unable 
to  change  the  bit  with  probability  at  least  |,  Alice  may  be  able  to  use  error  correcting 
codes  to  reliably  transmit  her  message.  It  will  be  important  to  state  the  limitations  we 
impose  on  Ward,  since  otherwise  he  can  replace  all  messages  with  a  new  (independent) 
draw  from  the  channel  distribution,  effectively  destroying  any  hidden  information.  In 
this  section  we  give  a  formal  definition  of  robust  steganography  with  respect  to  a 
limited  adversary. 

We  will  model  the  constraint  on  Ward’s  power  by  a  relation  R  which  is  constrained 
to  not  corrupt  the  channel  too  much.  That  is,  if  Alice  sends  document  d,  Bob  must 
receive  a  document  d'  such  that  (d,  d')  e  R.  This  general  notion  of  constraint  is 
sufficient  to  include  many  simpler  notions  such  as  (for  example)  “only  alter  at  most 
10%  of  the  bits”.  We  will  assume  that  it  would  be  feasible  for  Alice  and  Bob  to 
check  (after  the  fact)  if  in  fact,  Ward  has  obeyed  this  constraint;  thus  both  Alice  and 
Bob  know  the  “rules”  Ward  must  play  by.  Note  however,  that  Ward’s  strategy  is  still 
unknown  to  Alice  and  Bob. 

We  consider  robustness  in  a  symmetric-key  setting  only,  since  unless  Alice  and 
Bob  share  some  initial  secret  they  cannot  hope  to  accurately  exchange  keys.  One 
could  alternatively  consider  a  scenario  in  which  the  adversary  is  not  allowed  to  alter 
some  initial  amount  of  communications  between  Alice  and  Bob;  but  in  this  case, 
using  a  steganographic  key  exchange  followed  by  a  symmetric-key  robust  stegosystem 
is  sufficient. 

5.1.1  Definitions  for  Substitution- Robust  Steganography 

We  model  an  A-bounded  active  warden  W  as  an  adversary  which  plays  the  following 
game  against  a  stegosystem  S: 
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1.  W  is  given  oracle  access  to  the  channel  distribution  C  and  to  SE(K,-,-).  W 
may  access  these  oracles  at  any  time  throughout  the  game. 

2.  W  presents  an  arbitrary  message  mw  G  {0,  l}12  and  history  hw- 

3.  W  is  then  given  a  sequence  of  documents  a  =  (oq, . . .  oq)  SE(K,  mw,  hw), 
and  produces  a  sequence  Sw  =  (si,  •  •  •  ,sg)  G  De,  where  (cq,  s*)  G  R  for  each 
1  <i<L 

Dehne  the  success  of  W  against  S  by 

Succf  w(k)  =  Pr [SD(K,s'w,hw)  ^  rnw }  , 

where  the  probability  is  taken  over  the  choice  of  K  and  the  random  choices  of  S  and 
W.  Dehne  the  failure  rate  of  S  by 

Fail §(t,q,l,  n,k)  =  max  {Succ?Ty(/c)}  , 

WeW(R,t,q,l,iJ,)  L  J 

where  W(R.,  t,q,l)  denotes  the  set  of  all  P-bounded  active  wardens  that  submit  at 
most  q(k)  encoding  queries  of  total  length  at  most  l(k),  produce  a  plaintext  of  length 
at  most  fj,(k)  and  run  in  time  at  most  t(k). 

Definition  5.1.  A  sequence  of  stegosystems  {5'fc}fcgN  is  called  substitution  robust  for 
C  against  R  if  it  is  steganographically  secret  for  C  and  there  is  a  negligible  function 
v(k )  such  that  for  every  PPT  W,  for  all  sufficiently  large  k,  Succ gW(k)  <  v(k). 

5.1.2  Necessary  conditions  for  robustness 

Consider  the  question  of  what  conditions  on  the  relation  R  are  necessary  to  allow 
communication  to  take  place  between  Alice  and  Bob.  Surely  it  should  not  be  the  case 
that  R  =  DxD,  since  in  this  case  Ward’s  “substitutions”  can  be  chosen  independently 
of  Alice’s  transmissions,  and  Bob  will  get  no  information  about  what  Alice  has  said. 

Furthermore,  if  there  is  some  document  d'  and  history  h  for  which 

E  Pr[tf]  =  l 

(. d,d’)eR  h 
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then  when  h  has  transpired,  Ward  can  effectively  prevent  the  transfer  of  information 
from  Alice  to  Bob  by  sending  the  document  d'  regardless  of  the  document  transmitted 
by  Alice,  because  the  probability  Alice  picks  a  document  related  to  d'  is  1.  That  is, 
after  history  /?,,  regardless  of  Alice’s  transmission  d,  Ward  can  replace  it  by  d',  so 
seeing  d'  will  give  Bob  no  information  about  what  Alice  said. 

Since  we  model  the  attacker  as  controlling  the  history  h,  then,  a  necessary  condi¬ 
tion  on  R  and  C  for  robust  communication  is  that 


V/i.  Pr [h] 


0  or  max 
y 


Y 

(x,y)eR 


<  1  . 


We  denote  by  1(R,V)  the  function  maxy  y)eR  PpnM-  We  say  that  the  pair 
(R,T>)  is  ^-admissible  if  I(R,T>)  <  6  and  a  pair  (R,C)  is  ^-admissible  if  Vh  Prc[/i]  = 
0  or  I(R,Ch)  <  5.  Our  necessary  condition  states  that  (R,C)  must  be  ^-admissible 
for  some  6  <  1. 


It  turns  out  that  this  condition  (on  R)  will  be  sufficient,  for  an  efficiently  sam- 
plcablc  channel,  for  the  existence  of  a  stegosystem  which  is  substitution-robust  against 
R. 


5.1.3  Universally  Substitution-Robust  Stegosystem 

In  this  section  we  give  a  stegosystem  which  is  substitution  robust  against  any  admis¬ 
sible  bounding  relation  R ,  under  a  slightly  modified  assumption  on  the  channel,  and 
assuming  that  Alice  and  Bob  know  some  efficiently  computable,  ^-admissible  relation 
R!  such  that  R!  is  a  superset  of  R.  As  with  most  of  our  constructions,  this  stegosystem 
is  not  really  practical  but  it  serves  as  a  proof  that  robust  steganography  is  possible 
for  any  admissible  relation. 

Suppose  that  the  channel  distribution  C  is  efficiently  samplcable.  (Recall  that  C  is 
efficiently  sampleable  if  there  is  an  efficient  algorithm  C  such  that,  given  a  uniformly 
chosen  string  s  G  {0,  l}fc,  a  security  parameter  lk  and  history  h,  C (h,  lk,  s )  is  indis¬ 
tinguishable  from  Ch).  We  will  assume  that  Alice,  Bob,  and  Ward  all  have  access 
to  this  algorithm.  Furthermore,  we  assume  Alice  and  Bob  share  a  key  K  to  a  pseu¬ 
dorandom  function  family  F  :  {0,  l}fc  x  {0, 1}*  — >  {0,  l}fc;  and  have  a  synchronized 
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counter  N.  We  will  let  n(k)  =  cu(log£;)  be  a  “robustness  parameter.”  We  begin  with 
a  stegosystem  which  robustly  encodes  a  single  bit. 


Construction  5.2.  ROneBit 

Procedure  Decode: 

Input:  K ,  si, . . .  ,  sn  G  Dn ,  h 
set  m  =  0  Set  ho  =  hi  =  () 
for  i  —  1 ...  n  do 
for  b  G  {0, 1}  do 
set  ab  =  C ((h,  hb),  lk ,  FK(N,  b)) 
set  hb  =  (hb,  crb) 

if  (m  —  0  A  ((T0,  Si)  G  R')  then  m  —  0 
else  m  —  1 
set  h  =  (h,  hm) 

Output:  m 

The  idea  behind  this  construction  is  this:  suppose  that  instead  of  sharing  a  key 
to  a  pseudorandom  function  F,  Alice  and  Bob  shared  two  secret  documents  do,  d\ 
drawn  independently  from  Cb.  Then  Alice  could  send  Bob  the  message  bit  m  by 
sending  document  dm,  and  Bob  could  recover  m  by  checking  to  see  if  the  document 
he  received  was  related  (by  R')  to  do  or  d\ .  Since  the  adversary  is  R  bounded  and 
(T>,  R')  is  (^-admissible,  the  probability  of  a  decoding  error  —  caused  either  by  the 
adversary,  or  by  accidental  draw  of  dQ,  d\  —  would  be  at  most  5.  Intuitively,  ROneBit 
reduces  the  probability  of  decoding  error  to  5n  by  encoding  each  hiddentext  bit  n 
times. 

Lemma  5.3.  ROneBit  is  steganographically  secret  against  a  nonce-respecting  chosen 
hiddentext  attack: 

InSec^s0neBit  C(t,  q,  q )  <  InSec^rf(t  +  0(nq),nq). 

Proof.  Let  W  be  a  passive  warden  which  runs  in  time  t,  and  makes  at  most  q  queries 
of  total  length  at  most  q  (each  query  can  be  only  one  bit,  because  of  the  type).  We 
construct  a  PRF  adversary  A  which  runs  in  time  t  +  0(nq)  and  makes  at  most  nq 
queries  to  F,  such  that 

Adv^/e)  =  AdvsgC  W(k)  . 


Procedure  Encode: 

Input:  K,  m  G  {0, 1},  h 
for  i  —  1 ...  n  do 

set  (T i  =  C (h,  lfc,  Fk(N ,  m)) 
increment  N 
set  h  =  (h,  Si) 

Output:  (Ti, . . .  ,an 
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The  PRF  adversary  takes  a  function  oracle  /,  and  emulates  W{ lfc),  responding  to  the 
queries  W  makes  to  the  encoder  SE  by  using  /  in  place  of  Fk(-,  •).  More  formally, 
we  define  the  subroutine  SSE f  :  {0, 1}*  x  {0, 1}*  — >  {0, 1}*  as  follows: 

Procedure  SSE?: 

Input:  bit  m,  history  h 
for  i  =  1 ...  n  do 

set  <jj  =  C(lfc,  h,  f(N,  m)) 
increment  N 
set  h  =  (h,  < 7* ) 

Output:  o i, . . .  ,an 

Then  we  define  A^(lk)  =  WSSEf  (lfc);  A’s  advantage  over  F  is  then: 

AdvPpA(k)  =  |Pr[A^(lfc)  =  1]  -  Pr[^l/(lfe)  =  1]| 

=  \Pr[WST(lk)  =  1]  -  Pr[Af(lk)  =  1]  | 

=  |Pr[fP5T(lfc)  =  1]  -  Pr[fPCT(lfc)  =  1]  | 

=  Adv^sDneBit  Cjiy(A;)  . 

Where  the  following  cases  for  /  justify  the  substitutions: 

•  /  is  chosen  from  Fk(-,-)-  Then  the  output  of  SSE *  is  distributed  identically 
to  the  encoding  function  of  ROneBit.  That  is, 

Pr[AFK{lk)  =  1]  =  Pv[WST{lk)  =  1]  . 

•  /  is  chosen  uniformly.  Then  by  assumption  on  C,  the  output  of  SSE *  is  dis¬ 
tributed  identically  to  samples  from  C%.  that  is, 

Pr[Af(lk)  =  1]  =  Pi[WCT(lk)  =  1]  . 

The  claim  follows  by  the  definition  of  insecurity.  □ 

Lemma  5.4.  FailBOneBit(f,  q,  q,  1,  k)  <  InSec^f(t  +  0(nq),nq ,  k )  +  5n . 

Proof.  Let  W  be  an  active  P-bounded  (t,  q,  q,  1)  warden.  We  construct  a  PRF  ad¬ 
versary  A  which  runs  in  time  t  +  0(nq ),  makes  at  most  nq  PRF  queries,  and  satisfies 
Advp  4(/e)  >  SuccBOneBit  w(k)  —  5n.  A f  works  by  emulating  W,  using  its  function 
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oracle  /  in  place  of  Fk(-,  •)  to  emulate  RDneBit  .Encode  in  responding  to  the  queries 
of  W.  Let  mw,sw  be  the  hiddentext  and  the  stegotext  sequence  returned  by  W, 
respectively.  Then  A*  returns  1  iff  SD? (sw,  h\v)  ^  mw-  Consider  the  following  two 
cases  for  /: 

•  /  is  chosen  uniformly  from  all  appropriate  functions.  Then,  for  each  i,  the 
stegotexts  cq  =  C(lfc,  hi,  f(N  +  i,mw))  are  distributed  independently  according 
to  Chi.  Consider  the  sequence  of  “alternative  stegotexts”  rf*  =  C(lfe,  h\,  f(N  + 
i,  1  —  mw))',  each  of  these  is  also  distributed  independently  according  to  C/,/ ; 
and  since  W  is  never  given  access  to  the  di,  the  st  are  independent  of  the  dt. 
Now  SD  will  fail  (causing  Al(lk)  to  output  1)  only  if  the  event  Vi.(rfj,Sj)  G  R' 
occurs.  Because  the  di  are  independent  of  the  actions  of  W,  and  because  (V,  R') 
is  (5-admissible,  each  event  (di,  s*)  G  R'  happens  independently  with  probability 
at  most  6.  So  the  probability  of  failure  is  at  most  Sn: 

Pv[Af(lk)  =  1]  <  5n  . 

•  /  is  chosen  uniformly  from  Fk ■  Then  AF(lk)  outputs  1  exactly  when  W  succeeds 
against  ROneBit,  by  the  definition  of  ROneBit. 

Pr[AFK(lk)  =  1]  =  Succ^0neBit  W(/c)  . 


Taking  the  difference  of  these  probabilities,  we  get: 

Ad vPpA(k)  =  Pr[AFx(lfc)  =  1]  -  Pr[A/(lfc)  =  1] 

=  Succ^,neBit)W-(/c)  -  Pr[Af(lk)  =  1] 

>  Succ ^OneBltiW(0  -  6n  . 

□ 

Theorem  5.5.  If  F  is  pseudorandom  then  ROneBit  is  substitution-robust  against  R 
for  C. 

Proof.  The  theorem  follows  by  the  conjunction  of  the  previous  lemmata.  □ 
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We  now  show  how  to  extend  ROneBit  to  handle  multiple-bit  messages.  We  assume 
the  same  setup  as  previously,  i.e. ,  Alice  and  Bob  share  a  synchronized  counter  N  and 
a  key  K  to  a  PRF  F  :  {0,  l}fc  x  {0, 1}*  — ■»  {0,  l}fc;  and  know  an  efficiently  computable, 
admissible  relation  R!  D  R.  We  assume  that  the  “state  updates”  made  by  calls  to 
ROneBit  are  maintained  across  invocations. 

Construction  5.6.  Robust 

Procedure  Encode:  Procedure  Decode: 

Input:  K,  m  G  {0, 1}*,  h  Input:  K ,  Sip, . . .  ,  s^n  G  Dlxn,  h 

for  i  —  1 ...  I  do  for  i  —  1 ...  I  do 

set  oyi...n  =  ROneBit. SE(K,  m,  h,  N )  set  mt  =  ROneBit. SD(K,  h,  N ) 

Output:  crip, . . .  ,  a  in  Output:  mi,...  ,  mi 

Lemma  5.7.  Robust  is  steganographically  secret  against  a  nonce- respecting  chosen 

hiddentext  attack: 

InSec=sobust  C(t,  q,  l,  k )  <  InSec^rf(t  +  0(nl),nl,  k ). 

Proof.  Suppose  we  are  given  a  warden  W  G  W(t,  q,  l )  against  the  stegosystem  Robust. 
Then  we  can  construct  a  warden  X  G  W(f,  /,  /)  against  ROneBit.  XM  works  by 
simulating  W,  responding  to  each  oracle  query  m,  h  by  computing  h0  =  h,  and 
<Tj;i...n  =  M(rrii,hi_i),  hi  =  h,  aitl  ...n  for  1  <  i  <  \m\,  and  returning  op,...  ,  <j|m|. 
Consider  the  cases  for  X's  oracle  M : 

•  If  M  <—  ROneBit. Encode,  then  X’s  responses  are  distributed  identically  to  those 
of  Robust. Encode.  Thus 

Pr[X5T(lfc)  =  1]  =  Pr[WST(lk)  =  1]  . 

•  if  M  <—  Cf,  then  the  response  of  X  to  query  m,  h  is  distributed  identically  to 
4m|xn  Thus 

Pr[XCT(lk)  =  1]  =  Pr[WCT(lk)  =  1]  . 

Combining  the  cases,  we  have 

Ad vS,„.BitAX(*0  =  |Pr[A'ST(l‘)  =  1]  -  Pr[A'0T(l‘)  =  1)  | 

=  |Pr[WST(lfc)  =  1]  -  Pv[WCT(lk)  =  1]  | 

=  AdVRobustCjy  (k) 
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Combining  the  fact  that  X  makes  l  queries  to  ROneBit .  Encode  and  runs  in  time 
t  +  0(1)  with  the  result  of  lemma  5.3,  we  get 


AdvRobust fi,w(k)  <  InSec pp(t  +  0(nl),nl,k)  . 


□ 

Lemma  5.8.  Fail^obust (t,  q,  l,  /i,  k )  <  InSec^rf(t  +  0(nl),nl ,  k)  +  /j,5n. 

Proof.  Let  W  be  an  active  i?-bounded  (t,  q,  q,  1)  warden.  We  construct  a  PRF  ad¬ 
versary  A  which  runs  in  time  t  +  0(nl ),  makes  at  most  ril  PRF  queries,  and  satisfies 
AdvpA(k)  >  Succ^obust  w(k)  —  /i5n.  works  by  emulating  IF,  using  its  function 
oracle  /  in  place  of  Fk(;-)  to  emulate  Robust  in  responding  to  the  queries  of  IF.  Let 
mw,sw  be  the  hiddentext  and  the  stegotext  sequence  returned  by  IF,  respectively. 
Then  A?  returns  1  iff  SD  f(sw,  hw)  ^  raw-  Consider  the  following  two  cases  for  /: 

•  /  is  chosen  uniformly  from  all  appropriate  functions.  Then,  for  each  i,  the 
stegotexts  (7tJ  =  C(lfc,  hij,  f(N  +  (i  —  1  )n  +  j,mw,i))  are  distributed  inde¬ 
pendently  according  to  Cf .  Consider  the  sequence  of  “alternative  stegotexts” 
dh]  =  C(lfc,  h'h],  f(N  +  (i  —  1  )n  +  j,  1  —  mw,i ));  each  of  these  is  also  distributed 
independently  according  to  C^.  and  since  IF  is  never  given  access  to  the  du, 

3 

the  Sij  are  independent  of  the  d^j.  Now  SD  will  fail  (causing  A^(lk)  to  out¬ 
put  1)  only  if  the  event  Vj.(djj,  s,j)  G  R!  occurs  for  some  i.  Because  the  ditj 
are  independent  of  the  actions  of  IF,  and  because  (V,  R!)  is  ^-admissible,  each 
event  (dltJ1  sit])  e  R'  happens  independently  with  probability  at  most  S.  So  the 
probability  of  failure  for  any  i  is  at  most  <5n.  A  union  bound  then  gives  us: 

Pr[Af(lk)  =  1]  <  nSn  . 

•  f  is  chosen  uniformly  from  Fk-  Then  AF(lk)  outputs  1  exactly  when  IF  succeeds 
against  Robust,  by  the  definition  of  Robust. 

Pr[AFK(lk)  =  1]  =  SnccFohustW(k)  . 
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Taking  the  difference  of  these  probabilities,  we  get: 


Adv^ife)  =  Pr[AFK{lk)  =  1]  -  Pr[Af(lk)  =  1] 

=  Succ FohusttW(k)  ~  Pr[^l/(lfe)  =  1] 

>  Succ Lust, • 

□ 


5.2  Active  Distinguishing  Attacks 

In  an  active  distinguishing  attack,  Ward  is  allowed  to  ask  Bob  to  decode  innocent¬ 
looking  messages,  in  order  to  discover  whether  the  messages  sent  by  Alice  are  stego- 
texts  or  covertexts.  In  the  real  world,  it  might  be  that  Ward  knows  that  if  Alice  is 
using  steganography,  she  will  encode  a  certain  set  of  instructions  in  her  message  to 
Bob.  Ward  could  perhaps  intercept  that  message  and  try  to  alter  the  instructions, 
and  then  send  the  altered  message  to  Bob  and  see  how  he  reacts.  If  Bob  follows 
Ward’s  instructions,  Ward  can  conclude  that  Alice’s  message  must  have  contained 
steganography,  and  if  Bob  doesn’t  react,  Alice’s  message  was  probably  innocent. 

5.2.1  Chosen-covertext  attacks 

A  Chosen-covertext  attack  is  essentially  the  same  as  a  chosen- hiddentext  attack  ex¬ 
cept  that  the  adversary  is  given  access  to  a  decoding  oracle,  with  the  restriction 
that  he  can’t  invoke  the  decoding  oracle  on  the  “challenge”  sequence  which  is  either 
a  stegotext  or  a  covertext.  We  will  give  a  formal  definition  of  this  concept,  and  a 
construction  for  any  efficiently  sampleable  channel,  assuming  the  existence  of  a  sym¬ 
metric  or  public-key  encryption  scheme  which  is  indistinguishable  from  random  bits 
under  chosen-ciphertext  attack. 

Symmetric  chosen-covertext  attacks 

In  order  to  construct  a  stegosystem  which  is  secure  against  chosen-covertext  attacks, 
we  will  first  need  to  introduce  the  notion  of  a  cryptosystem  which  is  indistinguishable 
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from  random  bits  under  chosen-ciphertext  attack. 


INDS-CCA  Security 


Definition.  Let  £  be  a  symmetric  encryption  scheme.  We  define  a  chosen-ciphertext 
attack  against  £  as  a  game  played  by  an  oracle  adversary  A.  A  is  given  oracle  access 
to  Dk  and  an  encryption  oracle  e  which  is  either: 

•  Ek:  an  oracle  that  returns  EK(m). 

•  $:  an  oracle  that  returns  a  sample  from  U\EK{m)\- 

A  is  restricted  so  that  he  may  not  query  Dk  on  the  result  of  any  query  to  Ek-  We 
define  A’s  CCA  advantage  against  £  by 

Ad v^(fc)  =  \Vi[AEk,Dk [lk)  =  1]  -Pr[A$’^(lfc)  =  1]|  , 

where  K  Uk,  and  define  the  CCA  insecurity  of  £  by 

InSec £a(t,qe,qd,ne,/id,k)  =  max  {AdvfaA(k)}  , 

AeA(t,qe,qd,fie,fid) 

where  A(t,  qe ,  qd,  l*,  ixe,  Hd)  denotes  the  set  of  adversaries  running  in  time  t,  that  make 
qe  queries  of  pe  bits  to  e,  and  qd  queries  of  pLd  bits  to  Dk- 

Then  £  is  (t,qe,qd,  pLe,  AD,  ^-indistinguishable  from  random  bits  under  chosen 
ciphertext  attack  if  InSec|ca(t,  qe,  qd,  pe ,  AD,  k)  <  e.  £  is  called  indistinguishable  from 
random  bits  under  chosen  ciphertext  attack  (INDS-CCA)  if  for  every  PPT  A,  Adv^(/c) 
is  negligible  in  k. 

Construction.  We  let  £  be  any  IND$-CPA-secnre  symmetric  encryption  scheme  and 
let  F  :  {0,  l}fc  x  {0, 1}*  — »  {0,  l}fc  be  a  pseudorandom  function.  We  let  K,  k  <—  Uk- 
We  construct  a  cryptosystem  E  as  follows: 

•  E.Encrypt(/C,  n,m ):  Draw  r  <—  Uk ,  c  <—  £.E(K,m),  compute  t  =  FK(r\\c),  and 
return  r||c||A. 

•  E.Decrypt(iC,  k,  r||c||t):  If  FK(r\\c)  =  t,  then  return  £.Dk(c),  else  return  _L. 
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Theorem  5.9. 


InSec^ca(t,  q,  j2, l* ,  k)  <  InSec c£pa(t' ,qe, /ie,k)  +  2InSec Pp(t',qe  +  qd,  k )  +  {q2e  +  qd) 2  k 

Proof.  Choose  an  arbitrary  adversary  A  e  A(t,qe,qd,fJ>e,  Pd)-  We  will  consider  the 
advantage  of  A  in  distinguishing  the  following  set  of  hybrid  oracle  pairs: 

•  E^Dp  E i(m)  =  E.Encrypt(m),  Dx(c)  =  E.Decrypt(c). 

•  E2,  D2:  uniformly  choose  /  :  {0, 1}*  — >  {0,  l}fc,  and  a  K  <—  Uk- 

To  draw  from  E2(m),  choose  r  <—  Uk ,  draw  c  <—  £.EK(m),  compute  t  =  f(r\\c), 
and  output  r||c||f 

To  compute  D2(r||c||t),  output  T  if  t  ^  /(r||c)  and  return  £.DK(c )  otherwise. 

•  E.3,  D3:  choose  a  random  /  :  {0, 1}*  — >  {0,  l}fc,  and  a  random  K  Uk- 

To  draw  from  E3(m),  choose  r  Uk ,  draw  c  Ueqm\),  compute  t  =  f(r\\c), 
and  output  r||c||t. 

To  compute  D3(m),  output  T  if  t  ^  /(r||c)  and  return  S.Dk{c )  otherwise. 

•  E4,  D4:  uniformly  choose  /  :  {0, 1}*  — »  {0,  l}fc  and  K  <—  Uk. 

To  draw  from  E4(m),  choose  c  <—  U2k+e(\m\)- 

To  compute  D4(r||c||t),  output  T  if  t  ^  f(r\\ c)  and  return  £.Dk(c )  otherwise. 

•  E5,  D5:  choose  K.  k  <—  Uk- 

To  draw  from  E5(m),  choose  c  U2k+e(\m\)- 

To  compute  D5(r||c||f),  output  T  if  t  ^  FK(r\\c)  and  return  £.Dk(c )  otherwise. 
By  construction  it  is  clear  that 

Pr [AEEK’EDK(lk)  =  1]  =  Pr[/lEl'Dl (lfc)  =  1]  , 
and  it  is  also  obvious  that 

pr[74$,E.DK(1fc)  =  =  =  !]  . 
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If  we  define  the  function 


Adv^O)  =  |Pr[AEi'D!(lfc)  =  1]  —  Pr[AEi+1,Di+1  (lfc)  =  1]|  , 
we  then  have  that: 

AdV%(k)  =  ^Py[AE  Ek,E  Dk {lk)  =  1]  -  Pr[A$,E'DK(lfc)  =  1]  | 

=  |Pr[AEl'Dl(lfc)  =  1]  -  Pr[AE5’°5(lfc)  =  1] | 

4 

<  Y  |Pr[^4Ei,Di(lfc)  =  1]  -  Pr[AEi+1,Di+1(lfc)  =  1]  | 

i= 1 
4 

=  Y  AdvA(k) 

i=  1 

We  will  proceed  to  bound  Adv^(/c),  for  i  e  {1,  2,  3, 4}. 

Lemma  5.10.  Adv\(/c)  <  InSec^rf(t',  qe  +  q, d,  k ) 

Proof.  We  design  a  PRF  adversary  B  such  that  Ad VgfF(fc)  >  Adv^(/c)  as  follows. 
B  picks  K  <—  Uk  and  runs  A.  B  uses  its  function  oracle  /  to  respond  to  Ws  queries 
as  follows: 

•  On  encryption  query  m,  B  picks  r  Uk,  computes  c  <—  £.EK(m ),  computes 
t  =  /(r||c)  and  returns  r||c||f. 

•  On  decryption  query  r||c||f,  B  returns  _L  if  f  ^  /(r||c)  and  returns  £.Dk(c) 
otherwise. 

Clearly,  when  BA  oracle  f  <—  F,  B  simulates  E1;  D}  to  A: 

Pr[BFK(lk)  =  1]  =  Pr[AEl’Dl(lfc)  =  1]  , 
and  when  /  <—  U(*,  k),  B  simulates  E2,  D2  to  A: 

Pr[Bf(lk)  =  1]  =  Pr[AE2’°2(lfc)  =  1]  , 

which  gives  us 

Adv^A;)  =  |Pr[AEl’Dl(lfe)  =  1]  -  Pr[AE2’°2(lfc)  =  1] | 

=  |Pr[5Fx(lfc)  =  1]  -  Pv[Bf(lk)  =  1] | 

=  Ad vP2  F{k)  <  InSec Pp(t',  qe  +  qd,  k ) 
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as  claimed. 


□ 


Lemma  5.11.  Adv^(/c)  <  InSec c£pa(t',qe,  fie,k)  +  qd2  k 


Proof.  We  will  construct  a  CPA  adversary  B  for  £  such  that 

Adv^/c)  >  Adv^(A;)  -  qd2~k  . 

B°  works  by  emulating  A,  responding  to  queries  as  follows,  where  /  is  a  randomly- 
chosen  function  built  up  on  a  per-query  basis  by  B: 

•  on  encryption  query  m,  B  picks  r  <—  Uk,  computes  c  =  0(m),  and  sets  t  = 
/(r||c),  and  returns  r||c||t. 

•  on  decryption  query  r||c||t,  B  checks  whether  t  =  /(c||r);  if  not,  B  returns  _!_ 
and  otherwise  B  halts  and  outputs  0. 


Let  V  denote  the  event  that  A  submits  a  decryption  query  that  would  cause  B  to 
halt.  Then,  conditioned  on  -A/,  when  B's  oracle  is  $,  B  perfectly  simulates  E3,  D3  to 
A: 

Pr[5$(lfc)  =  1]  =  Pr[AE3’°3(lfc)  =  l|-iV]  . 

Also,  conditioned  on  — iV,  when  BA  oracle  is  S.Ek ,  B  perfectly  simulates  E2,  D2  to  A: 

Pr[BEK(lk )  =  1]  =  Pr[AE2’°2(lfc)  =  1|-A/]  . 

Combining  the  cases,  we  have: 

Adv2A(k)  =  |Pr[AE3’D3(lfe)  =  1]  -  Pr[AE2’E2(lfc)  =  1]  | 

=  |Pr[AE3’D3(lfe)  =  l|V]Pr[V]  +Pr[AE3’D3(lfc)  =  1|-A/]  Pr[-A/] 

-  (Pr[AE2'D2(lfc)  =  l|V]Pr[V]  +Pr[AE2’D2(lfc)  =  1|-A/]  Pr[-A/])  | 

<  Pr[V]  |Pr[AE3’°3(lfc)  =  1|V]  -  Pr[AE2’°2(lfc)  =  1|V]| 

+  Pr[-<V]  |Pr[AE3’°3(lfc)  =  1|-A/]  -  Pr[AE2’°2(lfc)  =  1|-A/]| 

<  Pr[V]  +  |Pr[AE3’D3(lfe)  =  l|iV]  -  Pr[AE2’°2(lfc)  =  1|-A/]| 

<  Pr[V]  +  |Pr[5$(lfc)  =  1]  -  Pi[BEk (lfc)  =  1] | 

<  Pr[V]  +  Ad v^(fc) 

<  qd2~k  +  InSec^.pa(t/,  qe,  pe,  k) 
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Where  the  last  line  follows  because  each  decryption  query  causes  B  to  halt  with 
probability  the  union  bound  gives  the  result.  □ 

Lemma  5.12.  Adv^(/c)  <  |§ 


Proof.  Notice  that  unless  E3  chooses  the  same  values  of  (r,  c)  at  least  twice,  E3  and 
E4  are  identical.  Denote  this  event  by  C.  Then  we  have: 


Ad v^(fc)  =  |Pr[AE3’Ds(lfc)  =  1]  -Pr[AE4'D4(lfc)  =  1] | 

=  |  (Pr[AE3’Ds(lfe)  =  1|C]  Pr[C]  +  Pr[AE3'D3(lfc)  =  1|-.C]  Pr[-.C]) 
-  (Pr[AE4’°4(lfc)  =  l|C]Pr[C]  +  Pr[AE4'D4(lfc)  =  1|-«C]  Pr[->C]) 

<  Pr[C]  |Pr[AE3’D3(lfe)  =  1|C]  -  Pr[AE4’°4(lfc)  =  1 1 C]  | 

+  Pr[— iC]  |Pr[AE3’°3(lfc)  =  l|iC]  -  Pr[AE2’Da(lfc)  =  1|-.C]| 

=  Pr[C]  |Pr[AE3'°3(lfc)  =  1|C]  -  Pr[AE4'D4(lfc)  =  1 1 C]  | 

<  Pr[C] 


Lemma  5.13.  Adv^(/c)  <  InSec pf(t',qd,k) 


Proof.  We  construct  a  PRF  adversary  B  against  F  with  advantage 

Ad\%fF(k)  =  Adv^(/c)  . 

B f  starts  by  choosing  K  [4 .  B  then  runs  A,  responding  to  encryption  queries 
E(m)  with  r 1 1 c 1 1 1  U-2k+e(\m\),  and  responding  to  decryption  queries  D(r||c||t)  with 
_L  if  t  4  f(r ||c),  and  Dk(c )  otherwise.  B  outputs  the  bit  chosen  by  A.  Notice  that 
by  construction, 

Pr[BFK(lk)  =  1]  =  Pr[AEs'D5(lfc)  =  1]  ,  and 
Pr[Bf(lk)  =  1]  =  Pr[AE4’°4(lfc)  =  1]  , 
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so  by  definition  of  advantage,  we  get: 


Adv\(k)  =  |Pr[AE5'D5(lfc)  =  1]  -  Pr[AE4’°4(lfc)  =  1] 
=  \Pr[BFK(lk)  =  1]  -  Pr[Bf(lk)  =  1]  | 

=  Adv^rfF(/c)  <  InSec^rf(t/,  qd,  k) 


□ 

The  theorem  follows  by  the  conjunction  of  the  lemmata.  □ 

Chosen-covertext  attack  definition 

In  an  adaptive  chosen-covertext  attack  against  a  symmetric  stegosystem  S,  an  adver¬ 
sary  W  is  given  access  to  a  mystery  oracle  O,  which  is  either  SEK  for  a  uniformly 
chosen  key  K  or  Oc,  which  on  query  m,h  returns  a  sample  from  C^Er  The 

attacker  is  restricted  to  querying  SD  only  on  strings  which  were  not  generated  by 
queries  to  O.  (As  always,  W  is  allowed  to  know  the  channel  distribution  C)  At  the 
conclusion  of  the  attack,  W  must  guess  the  type  of  O.  We  define  the  Symmetric 
Chosen-Covertext  Advantage  of  W  against  S  with  respect  to  C  by 

AdvSfi,w(k)  =  \Pr[WSE’SD(lk)  =  1]  -  Pr[W°c’SD(lk)  =  1]|  , 

And  define  the  sCCA  insecurity  of  S  with  respect  to  C  by 

InSec 5CCca(t,  qe,  qd,  ^ e ,  /iri,  k)  =  max  {Ad v^w(fc)}  , 

wew(t,q,p;) 

where  W(t,  q,  fi)  denotes  the  class  of  all  W  running  in  time  t  which  make  at  most  qe 
encoding  queries  of  /ie  bits  and  at  most  qd  decoding  queries  of  nd  bits. 

We  say  that  S  is  (t,  q. ,  /i,  k ,  e)  secure  against  symmetric  chosen-covertext  attack 
with  respect  to  C  if 

InSec  ffl{t,q,pi,  k)  <  e  , 

and  that  S  is  secure  against  symmetric  chosen-covertext  attack  with  respect  to  C 
(SS-sCCA)  if  Adv^aw(fc)  is  negligible  for  all  PPT  W. 
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Construction 


Both  of  our  constructions  of  chosen-covertext  secure  stegosystems  will  require  an 
efficiently  sampleable  channel  C,1  and  will  make  use  of  the  following  “deterministic 
encoding”  routine: 

Construction  5.14.  (Deterministic  Encoding) 


Procedure  DEncode: 

Input:  bits  c\, . . .  ,  q ,  history  h,  bound  k ,  randomness  rq, . . .  G  {0,  l}k 
Let  l  —  0 
for  i  —  1 . .  .1  do 
Let  j  —  0 
repeat: 

compute  Si  =  C(lfc,  h,  rt),  increment  j,  i 
until  f(si)  =  Ci  OR  (. j  >  k) 
set  h  —  h,  Si 
Output:  si,s2,  •  •  •  ,si 

For  a  given  sequence  of  Ik  random  inputs,  this  routine  has  exactly  one  possible 
encoding  for  any  message.  Building  on  this  routine,  we  will  assume  that  Alice  and  Bob 
share  a  key  K  for  a  symmetric  IND$-CCA-secure  encryption  scheme  £  =  (G .  E.  D) 
such  that  for  any  key  K,  for  any  l  >  k,  Pr [U^  G  [£^({0, 1};)]]  A  1  /2fc  (An  example  is 
the  scheme  of  the  previous  section).  We  will  also  assume  that  G  :  {0,  l}k  — >  {0,  l}kxlk 
is  a  pseudorandom  generator.  The  the  following  scheme  is  secure  against  symmetric 
chosen-covertext  attack: 

Construction  5.15.  (sCCA  Stegosystem) 


Procedure  Encode: 

Input:  m  G  {0, 1}£,  h,  K 
Choose  r  Uk 
Let  c  =  EK(r\\m) 

Let  r  —  G{r ) 

Output:  DEncode(c,  h,  k,  r) 
Theorem  5.16.  if  f  is  e-biased  for  C, 


Procedure  Decode: 

Input:  si, . . .  ,  Si,  h,  K 

Let  c  =  Basic_Decode(si, ...  ,  s{) 

Parse  Dk(c )  as  r||fcm. 

Set  f—  G(r). 

If  s  7^  DEncode(c,  h,  k,  f)  return  _L. 

Output:  m 

then 


InSeCgccA,c(^  ^  A  InSec|ca(C,  q,  ft,  k )  +  qe 2  k  +  £(qte)e  +  geInSeCgg(C,  k)  , 
1Recall  that  a  channel  is  efficiently  sampleable  if  there  exists  a  PPT  C  such  that  C(lfe,  h,  Uk)  and 
Ch  are  computationally  indistinguishable 
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where  t'  <t  +  0((/ie  +  Hd)k). 


Proof.  Choose  an  arbitrary  W  G  W(t,q,fT).  We  will  bound  Advfff?  w(k)  by  consid¬ 
ering  the  following  sequence  of  hybrid  oracles: 

•  0\.  the  channel  oracle  C. 

•  0-2'.  responds  to  queries  by  replacing  c  <—  EK(r\\m)  with  c  <—  U  and  replacing 
r  =  G(r)  with  f  <—  Ukxik- 

•  0:i:  responds  to  queries  by  replacing  c  <—  EK(r\\m)  with  c  <—  U . 

•  O4:  responds  to  queries  with  sCCA. Encode. 

Clearly  Pt[W0i’SDk  (lk)  =  1]  =  Pt[W°c’SDk  (lk)  =  1]  and  Pr[W°4’sr>K  (lk)  =  1]  = 
pv[WSEK’SDK(lk)  =  1],  Thus 

Ad vsfi,w(k)  =  \Pr[W°4’SDK(lk)  =  1]  -  Pr[W0l'SDK(lk)  =  1] | 

<  \Pr{W°2’SDK(lk)  =  1]  -  Pv[W0i’SDk (lfc)  =  1]  | 

+  \Pr{W°3’SDK(lk)  =  1]  -  ~Pt\W°2'SDk (lk)  =  1] | 

+  \Pt[W°4’SDk (lk)  =  1]  -  Pr[W°3’SDK(lk)  =  1] | 

For  convenience,  we  will  define  the  quantity 

Adviw(k)  =  \Pr{W°i+1’SDK(lk)  =  1]  -  Pr[W0i'SDK(lk)  =  1]|  , 

and  we  will  proceed  to  bound  Advlw(k)  for  i  e  {1,2,3}. 

Lemma  5.17.  Adv^/c)  <  £(/J,e)e 

Proof.  This  follows  from  lemma  4.8.  □ 

Lemma  5.18.  Ad v^(/c)  <  geInSec^rg(f/,  k) 

Proof.  We  will  construct  a  PRG  adversary  A  for  G  such  that 

Adv^rgA(A;)  >  1/ qeAdvw(k)  ■ 
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A  works  as  follows:  first,  A  picks  a  key  K  Uk  to  use  in  responding  to  the  queries 
W  makes  to  SDk ■  Suppose  A  is  given  as  input  qe  strings  r i ,  . . .  ,rqe  of  length  k  x  Ik 
and  asked  to  decide  whether  they  are  all  samples  from  Ukxik  or  samples  from  G(Uk)- 
Then  A  can  achieve  advantage  precisely  Adv^(fc)  by  emulating  W,  responding  to 
its  decoding  queries  using  K,  and  responding  to  the  ith  encoding  query  (m,  h )  by 
drawing  c  <—  UgQm\+k)  and  giving  the  response  DEncode(c,  h,  k,ri).  If  all  of  the  rt  are 
drawn  from  Ukxik ,  then  A  perfectly  simulates  0\  to  W,  and  if  all  are  drawn  from 
G(Uk),  A  perfectly  simulates  0-2-  Thus  A’s  advantage  in  distinguishing  G{Uk)qe  and 
Ukxik  exactly  Adv^(A;).  The  lemma  follows  from  this  fact  and  proposition  2.6  (a 
straightforward  hybrid  argument).  □ 

Lemma  5.19.  Adv^(A;)  <  InSec|ca(f',  q,  jl,  k )  +  qe 2~k 

Proof.  We  will  construct  an  adversary  A  that  plays  the  chosen-ciphertext  attack  game 
against  £  with  advantage 

Ad (fc)  >  Adv^(fc)  . 

A  works  by  emulating  W  and  responding  to  queries  as  follows: 

•  on  encoding  query  ( m,h ),  A°  chooses  r  Uk,  computes  c  0(r\\m),  and 
returns  DEncode(c,  h,  k,  G(r)). 

•  on  decoding  query  ( s,h ),  A  computes  c  =  Basic_Decode(s,  h);  if  c  was  previ¬ 
ously  generated  by  an  encoding  query,  A  returns  _L,  otherwise  A  uses  its  decryp¬ 
tion  oracle  to  compute  r\\krn  =  DK(c).  If  c  and  s  =  DEncode(c,  h,  k,  G(r)), 
A  returns  m,  otherwise  A  returns  T. 

In  other  words,  A  simulates  running  the  routines  sCCA .  Encode  and  sCCA .  Decode  with 
its  oracles;  with  the  exception  that  because  A  is  playing  the  IND$-CCA  game,  he  is 
not  allowed  to  query  Dk  on  the  result  of  an  encryption  query:  thus  a  decoding  query 
that  has  the  same  underlying  ciphertext  c  must  be  dealt  with  specially. 

Notice  that  when  A  is  given  an  encryption  oracle,  he  perfectly  simulates  O4  to  W, 
that  is: 

Pr[AEK’DK(lk)  =  1]  =  Pr[W°4’SDK(lk)  =  1]  . 
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This  is  because  when  c  =  Exi;r\\m)  then  the  test  s  =  DEncod e(c,h,k,G(r))  would 
fail  anyways. 

Likewise,  when  A  is  given  a  random-string  oracle,  he  perfectly  simulates  O3  to  W, 
given  that  the  outputs  of  O  are  not  valid  ciphertexts.  Let  us  denote  the  event  that 
some  output  of  O  is  a  valid  ciphertext  by  V,  and  the  event  that  some  output  of  O3 
encodes  a  valid  ciphertext  by  U;  notice  that  by  construction  Pr[U]  =  Pr[V],  We  then 
have  that 

Pr[A$’D*(lfc)  =  1]  =  Pr[A$’DA'(lfc)  =  1|-.V]  Pr[^V]  +  Pr[A$’D^(lfc)  =  1|V]  Pr[V] 

<  Pt[W°3’SDk (lk)  =  l|iU]  Pr [ — ill]  +  Pr[V] 

<  Pt[W°3’SDk (lk)  =  1]  +  Pr[V] 

<  Pt[W°3’SDk  (lk)  =  1]  +  qe 2~k  , 

since  Pr[V]  <  qe2~k  by  assumption  on  £  and  the  union  bound. 

Combining  the  cases,  we  find  that 

Adv^(Jfc)  =  Pr[AEK’DK(lk)  =  1]  -  Pr[A$’^(lfc)  =  1] 

=  Pr{W°4’SDK(lk)  =  1]  -  Pr[A$’D^(lfc)  =  1] 

>  Pr{W°4’SDK(lk)  =  1]  -  Pr[W°3’SDK(lk)  =  1]  -  qe 2~k 
=  Ad vzw(k)  -  qe2~k 

Which  proves  the  lemma.  □ 

Combining  the  three  lemmata  yields  the  proof  of  the  theorem.  □ 

Public-Key  Chosen-covertext  attacks 

In  the  public-key  case,  we  will  likewise  need  to  construct  a  public-key  encryption 
scheme  which  is  indistinguishable  from  random  bits  under  chosen-ciphertext  attack. 
The  definitions  in  this  section  are  mostly  analogous  to  those  of  the  previous  section, 
although  the  construction  of  a  public-key  encryption  scheme  satisfying  this  definition 
uses  very  different  techniques. 
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INDS-CCA 


Let  £  be  a  public-key  encryption  scheme.  A  chosen-ciphertext  attack  against  £  is  de¬ 
fined  analogously  to  the  symmetric  case,  except  that  instead  of  an  oracle  for  Epk ,  the 
adversary  A  is  given  the  public  key  PK:  Let  £  be  a  symmetric  encryption  scheme.  We 
define  a  chosen-ciphertext  attack  against  £  as  a  game  played  by  an  oracle  adversary 
A: 


1.  A  is  given  PK  and  oracle  access  to  DSk-,  and  determines  a  challenge  message 
m*  of  length  l*. 

2.  A  is  given  a  challenge  ciphertext  c*,  which  is  either  drawn  from  Epx^m*)  or 

Um. 

3.  A  continues  to  query  DSk  subject  to  the  restriction  that  A  may  not  query 
Dsk(c*).  A  outputs  a  bit. 

We  define  A’s  CCA  advantage  against  £  by 

Ad v^(fc)  =  |Pr [ADsK(PK,EPK(m*))  =  1]  -  Pr [ADsK(PK,Ue)  =  1]|  , 

where  m*  ADsk(PK)  and  ( PK,SK )  G(lfc),  and  define  the  CCA  insecurity  of 

£  by 

InSec|ca(t,  q,  p,  l*,  k)  =  max  {Ad vf^(fc)}  , 

AeA(t,q„p,l*) 

where  A(t,q,  /i,l*)  denotes  the  set  of  adversaries  running  in  time  t,  that  make  q 
queries  of  total  length  //,  and  issue  a  challenge  message  m*  of  length  l*.  Then  £ 
is  (t,  q,  n ,  l*,  k,  e)  -indistinguishable  from  random  bits  under  chosen  ciphertext  attack  if 
InSec|ca(f,  q,  //,  l*,k)  <  e.  £  is  called  indistinguishable  from  random  bits  under  chosen 
ciphertext  attack  (INDS-CCA)  if  for  every  PPTM  A,  Adv^s(k)  is  negligible  in  k. 
Construction.  Let  H /.  be  a  family  of  trapdoor  one-way  permutations  on  domain 
{0,  l}k.  Let  S£k'  =  (E,D)  be  a  symmetric  encryption  scheme  which  is  INDS-CCA 
secure.  Let  H  :  {0,  l}fc  <—  {0,  l}fc/  be  a  random  oracle.  We  define  our  encryption 
scheme  £  as  follows: 

•  Generate(lfc):  draws  (tt,  <—  Lf^ ;  the  public  key  is  n  and  the  private  key  is 
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•  Encrypt (7r,  m):  draws  a  random  x  <—  Uk,  computes  K  =  H(x),  c  =  Ex(rri), 
y  =  7r(a;)  and  returns  y\\c. 

•  Decrypt^-1,  y||c):  computes  x  =  i \l{y),  sets  Jl  =  if(x)  and  returns  DK(c). 

Theorem  5.20. 

InSec^.ca  (t,  q ,  /i,  /,  k)  <  InSec^j" (£,  fc)  +  InSec^c|  (t',l,q,l,  n,k)  , 
where  t'  <t  +  0(qn)- 

Proof.  We  will  show  how  to  use  any  adversary  A  G  q,  fi,  l)  against  £  to  create  an 
adversary  B  which  plays  both  the  IND$-CCA  game  against  S£  and  the  OWP  game 
against  II  so  that  B  succeeds  in  at  least  one  game  with  success  close  to  that  of  A. 
B  receives  as  input  an  element  tt  G  II  and  a  y*  G  {0,l}fc  and  also  has  access  to 
encryption  and  decryption  oracles  O,  DK  for  S£.  B  keeps  a  list  L  of  (y,  z )  pairs, 
where  y  G  {0,  l}fc  and  z  G  {0,  initially,  L  is  empty.  B  runs  A  with  input  7T  and 
answers  the  decryption  and  random  oracle  queries  of  A  as  follows: 

•  When  A  queries  H(x),  B  first  computes  y  =  pi(x),  and  checks  to  see  whether 
y*  =  y ;  if  it  does,  B  “decides”  to  play  the  OWP  game  and  outputs  x,  the  inverse 
of  y*.  Otherwise,  B  checks  to  see  if  there  is  an  entry  in  L  of  the  form  (y,  z);  if 
there  is,  B  returns  z  to  A.  If  there  is  no  such  entry,  B  picks  a^<-  Uk >,  adds 
(y,  z)  to  L  and  returns  z  to  A. 

•  When  A  queries  Dsk(v\\c),  first  check  whether  y  =  y *;  if  so,  return  Dx(c). 
Otherwise,  check  whether  there  is  an  entry  in  L  of  the  form  (■ y ,  z):  if  not,  choose 
z  Ux  and  add  one.  Return  S£.Dz(y). 

When  A  returns  the  challenge  plaintext  m*,  B  computes  c*  =  0(m*)  and  gives  A 
the  challenge  value  y*\\c*.  B  then  proceeds  to  run  A,  answering  queries  in  the  same 
manner.  If  B  never  terminates  to  play  the  OWP  game,  B  decides  to  play  the  IND$- 
CCA  game  and  outputs  Ws  decision.  Now  let  P  denote  the  event  that  A  queries  H{x) 
on  an  x  such  that  ir(x)  =  y*.  Clearly, 

Advg:n(i)  =  Pr[P]  , 
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Now,  conditioned  on  — tP,  when  B' s  oracle  O  is  a  random  string  oracle,  c*  <—  U£  and 
B  perfectly  simulates  the  random-string  world  to  A.  And  (still  conditioned  on  ->P) 
when  B's  oracle  O  is  Ek ,  B  perfectly  simulates  the  ciphertext  world  to  A.  Thus,  we 
have  that: 

Adv^(fc)  =  Pt[B$,S£Dk(tt,  y)  =  1]  -  Pr[B*£  E^£  D« (ir,  y)  =  1] 

=  Pr[A£  DsK(Ue)  =  1|-.P]  -  Pr[A£DsK(£.E(ir,m*))  =  1|-.P] 

But  this  gives  us 

Ad vCAa£(k)  =  Pt[A£-Dsk(U£)  =  1]  -  Pr[A£-DsK(£.E(n,m*))  =  1] 

=  (Pr [A£-DsK(Ut)  =  lhP]  -  Pr[A£DsK(£.E(n,m*))  =  1|--P])  Pr[^P] 

+  (Pr [A£-DsK(Ue)  =  1|P]  -  Pr[A£  DsK{£.E{n,m*))  =  1|P])  Pr[P] 

<  Pv[A£-DsK(Ue )  =  1|-.P]  -Pr[A£-DsK(£.E(7r,m*))  =  1|-<P]  +  Pr[P] 

=  Adv^a5£-(/c)  +  Adv^(n(A;) 

<  InSec^c|(P,  1,  q ,  /,  /i,  k)  +  InSeCnW(t',  k) 


□ 


SS-CCA  Game 

In  an  adaptive  chosen-covertext  attack  against  a  public-key  stegosystem  S,  a  chal¬ 
lenger  draws  a  key  pair  (. PK,SK )  <—  SG( lfc),  and  an  adversary  W  is  given  PK  and 
allowed  oracle  access  to  SDsk ■  The  attacker  produces  a  challenge  hiddentext  m*  and 
history  h*  and  is  given  as  a  response  a  sequence  of  documents  s*  G  De(-  lm*D.  After 
this,  the  attacker  continues  to  query  SD  with  the  restriction  that  he  may  not  query 
SD(s*).  (As  always,  W  is  allowed  to  know  the  channel  distribution  C)  At  the  con¬ 
clusion  of  the  attack,  W  must  guess  whether  s*  SE(PK,m* ,  h*)  or  s*  .  We 

define  the  Steganographic  Chosen-Covertext  Advantage  of  W  against  S  with  respect 
to  C  by 

AdvTc,w(k)  =  |Pr [WSDsK{PK,SE(PK,m*,h*))  =  1]  -  Pt[WSDsk(PK,  C%)  =  1]|  , 
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where  (m*,h*)  <-  WSDsk(PK)  and  (. PK,SK )  <-  SG(lfc).  We  define  the  sCCA 
insecurity  of  S  with  respect  to  C  by 


InSec  sfi{t,q,n,l*,k) 


max 

WeW(t,q,n,l*) 


{Adv-y(fc)} 


where  W(t,q,  denotes  the  class  of  all  W  running  in  time  t  which  make  at  most 
q  oracle  queries  of  [i  bits  and  submit  a  challenge  hiddentext  of  length  at  most  l*. 


We  say  that  S  is  (t,  q,  /i,  l,  k,  e)  secure  against  chosen-covertext  attack  with  respect 
to  C  if 


InSec <  e  , 


and  that  S  is  secure  against  chosen-covertext  attack  with  respect  to  C  (SS-sCCA)  if 
Ad^w(jk)  is  negligible  for  all  PPT  W. 


Construction 


Our  construction  of  a  public-key  stegosystem  secure  against  chosen-covertext  attack 
is  similar  to  the  construction  for  the  symmetric-key  case.  We  will  assume  that  £  is  a 
public-key  INDS-CCA  secure  encryption  scheme,  and  ( PK,SK )  £.G(lk).  Further¬ 
more,  we  assume  that  for  any  /,  Pr [SDSk(Ui)  ^_L]  <  for  some  t  =  poly(k).  We 
will  also  assume  that  G  :  {0,  l}fc  — >  {0,  is  a  pseudorandom  generator. 

The  the  following  scheme  is  secure  against  chosen-covertext  attack: 

Construction  5.21.  (pCCA  Stegosystem) 


Procedure  Encode: 

Input:  m  G  {0, 1}£,  h,  PK 
Choose  r  <—  Uj, 

Let  c  =  EpK(r\\m) 

Let  r  —  G{r ) 

Output:  DEncode(c,  h,  k,  r) 
Theorem  5.22.  if  f  is  e-biased  for  C, 


Procedure  Decode: 

Input:  si, . . .  ,  si,  h,  SK 

Let  c  =  Basic_Decode(si, ...  ,si) 

Parse  Dsk(c )  as  r||fcm. 

Set  r  —  G(r). 

If  .s'  DEncode(c,  A,  k,  r)  return  _L. 

Output:  m 


then 


InSeCpccAy^,  A?  ^  h)  —  InSec|ca(t',  q,  n,  l,  k)  +  2  1  +  £(l  +  k)e  +  InSec k )  , 
where  t'  <  t  +  Q(lk). 


Proof.  Choose  an  arbitrary  W  E  W(t,q,  let  ( PK,SK )  <—  G(lk)  and  let 

(m*,  h*)  <-  WSDsk{PK )  . 

We  will  bound  Adv^pCCA  C(fc)  by  considering  the  following  sequence  of  hybrid  distri¬ 
bution: 

•  Di:  C+k) 

•  D2:  DEncod e(Ue(i+k),  h* ,  k,Ukxik) 

•  D3:  DEncod e(Ue^+k),h*,k,G(Uk)) 

•  D4:  DEncode(i?p/^(r||m*),  h*,  k,  G(r)),  where  r  <—  Uj~ 

Clearly  Pr [Wsd(D4)  =  1]  =  Pr [WSD(SE(PK,m*,h*))  =  1]  and  Pr[WSD(D1)  =  1]  = 
Pr  [WSD(C$+k)]  =  1].  Thus 

Advs^CCA,c(A;)  =  |Pr [Wsd{D4)  =  1]  -  Pr [Wsd(D4)  =  1]| 

<  |Pr [Wsd(D2)  =  1]  -Pr[WSD(D1)  =  1] | 

+  \Pr[WSD(D3)  =  1]  -  Py[Wsd(D2)  =  1]| 

+  \Pr[WSD(D4)  =  1]  -  Pr[WSD(D3)  =  1]  | 

For  convenience,  we  will  define  the  quantity 

Ad vlw(k)  =  \Pi[WSD(Di+1)  =  1]  -  Pr[WSD{Df)  =  1] |  , 

and  we  will  proceed  to  bound  Adv|y(/c)  for  i  e  {1,2,3}. 

Lemma  5.23.  Adv^(A;)  <  £{l  +  k)e 

Proof.  This  follows  from  lemma  4.8.  □ 

Lemma  5.24.  Adv^(/c)  <  InSec^rg(P,  k) 

Proof.  We  will  construct  a  PRG  adversary  A  for  G  such  that 


Ad ^cgA{k)  =  Ad \w(k)  . 


A  works  as  follows:  first,  A  picks  a  key  pair  ( PK ,  SK)  <—  G( lfc)  to  use  in  responding 
to  the  queries  W  makes  to  SD.  A  is  given  as  input  a  string  r  G  {0,  \}kxlk  arid 
asked  to  decide  whether  r  <—  Ukxik  or  r  <—  G{Uk).  Then  A  can  achieve  advantage 
precisely  Adv^(fc)  by  emulating  W,  responding  to  its  decoding  queries  using  SK, 
and  responding  to  the  challenge  hiddentext  (m*,  h*)  by  drawing  c  Uiq+k)  and  giving 
the  response  s  =  DEncode(c,  h ,  k,r).  If  r  <—  Ukxik,  then  .s  <—  D\,  and  if  r  G{Uk), 
then  s  <—  D2.  Thus  A’s  advantage  in  distinguishing  G(Uk )  and  Ukxik  is  exactly: 

Ad v™G(k)  =  |Pr [A(G(Uk))  =  1]  -  Pr[A(Ukxik)  =  1] | 

=  \Pt[Wsd(D2)  =  1]  -  Pr [Wsd{D1)  =  1]| 

=  Ad Vw(k) 


□ 

Lemma  5.25.  Ad v^(fc)  <  InSec fa(t' ,  q,  jl,  k )  +  2”* 

Proof.  We  will  construct  an  adversary  A  that  plays  the  chosen-ciphertext  attack  game 
against  £  with  advantage 

Ad v^ca£(/c)  >  Advfv(k)  . 

A  starts  by  emulating  W  to  get  a  challenge  hiddentext,  responding  to  decod¬ 
ing  queries  as  follows:  on  query  ( s,h ),  A  computes  c  =  Basic_Decode(s,  h);  A 
then  uses  its  decryption  oracle  to  compute  r||fcm  =  DSk(c).  If  c  and  s  = 
DEncode(c,  h,  k,  G(r)),  A  returns  m,  otherwise  A  returns  _L. 

When  W  generates  challenge  ( m*,h *),  A  chooses  r*  <—  Uk  and  outputs  the  chal¬ 
lenge  r*  1 1 m*.  A  is  given  the  challenge  ciphertext  c*  and  returns 

s*  =  DEncode(c*,  h* ,  k ,  G(r*)) 


to  W. 

A  continues  to  emulate  W,  responding  to  queries  as  follows:  on  decoding  query 
(s,  h),  A  computes  c  =  Basic_Decode(s,  h);  if  c  =  c*  A  returns  _L,  otherwise  A  uses  its 
decryption  oracle  to  compute  r\\km  =  Dsk(c).  If  c  and  s  =  DEncode(c,  h ,  k,  G(r)), 
A  returns  m,  otherwise  A  returns  A. 
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In  other  words,  A  simulates  running  sCCA. Decode  with  its  Dsk  oracle,  except 
that  because  A  is  playing  the  INDS-CCA  game,  he  is  not  allowed  to  query  Dsk  on  the 
challenge  value  c *:  thus  a  decoding  query  that  has  the  same  underlying  ciphertext  c* 
must  be  dealt  with  specially. 

Notice  that  when  A  is  given  an  encryption  of  r*||m*,  he  perfectly  simulates  D4  to 
W,  that  is: 

Pv[ADsK(PK,EPK(r*\\m*)  =  1]  =  Pr [Wsd(PK,D4)  =  1]  . 

This  is  because  when  c*  =  Ek (r*\\m*)  then  the  test  s  =  DEncode(c,  h,  k,  G(r ))  would 
fail  anyways. 

Likewise,  when  A  is  given  a  random  string,  he  perfectly  simulates  D3  to  W,  given 
that  c*  is  not  a  valid  ciphertext.  Let  us  denote  the  event  that  c*  is  a  valid  ciphertext 
by  V,  and  the  event  that  a  sample  from  D3  encodes  a  valid  ciphertext  by  U;  notice 
that  by  construction  Pr[U]  =  Pr[V],  We  then  have  that 

Pr [A°SK(PK,  U()  =  1]  =  Pr [A°SK(PK,  U()  =  1|-.V]  Pr[^V] 

+  Pr[ADsK(PK,  Ut)  =  1|V]  Pr[V] 

<  Pr [Wsd(PK,  D3 )  =  1|-.U]  Pr[^U]  +  Pr[V] 

<  Pr [Wsd(PK,  D3)  =  1]  +  Pr[V] 

<  Pr [Wsd(PK,  D3)  =  1]  +  2~*  , 

since  Pr[V]  <  2” *  by  assumption  on  E. 

Combining  the  cases,  we  find  that 

Adv^(Jfc)  =  Pt[ADsk (PK,  EPK(r*\\m*)  =  1]  -  Pv[ADsk (PK,  Ut)  =  1] 

=  Pr [Wsd(PK,  D4)  =  1]  -  Pt[ADsk(PK,  Ut)  =  1] 

>  Pr [Wsd(PK,  D4)  =  1]  -  Pr [WSD(PK,  D3 )  =  1]  -  2~l 
=  Adv3w(k)  -  2-* 

Which  proves  the  lemma.  □ 

Combining  the  three  lemmata  yields  the  proof  of  the  theorem.  □ 
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5.2.2  Authenticated  Stegosystems 

In  the  case  of  public-key  steganography,  Ward  is  capable  of  an  even  stronger  attack 
than  the  the  CCA  attack.  For  example,  the  warden  can  detect  the  use  of  steganog¬ 
raphy  by  Bob  simply  by  encoding  a  message,  sending  it  to  Bob  and  watching  his 
reaction:  if  he  reacts  consistently  with  receiving  the  warden’s  message,  then  he  is 
probably  decoding  messages.  Thus  the  warden’s  goal  should  be  to  detect  whether 
a  specific  pair,  Alice  and  Bob  are  communicating  steganographically.  To  protect 
against  such  an  attack  will  require  that  Alice  have  some  secret  differentiating  herself 
from  the  warden:  we  will  allow  Alice  to  publish  a  “steganographic  verification  key” 
which  will  allow  anyone  with  private  key  SK  to  verify  that  a  stegotext  generated 
with  the  corresponding  public  key  PK  was  generated  by  Alice;  Alice  will  keep  the 
“steganographic  signature”  key  secret.  In  this  model,  we  will  define  additional  attack 
games  to  the  basic  chosen-hiddentext  attack:  the  Chosen  Exactly  One  Attack,  and 
the  Chosen  Stegotext  Attack. 

Before  we  can  do  so,  however,  it  is  necessary  to  extend  the  syntax  and  correctness 
definitions  of  a  public-key  stegosystem  to  include  steganographic  signatures. 

Definition  5.26.  An  authenticated  public-key  stegosystem.  S  is  a  quadruple  of  algo¬ 
rithms: 

•  tS.CodeGen  takes  as  input  a  security  parameter  lk  and  generates  a  key  pair 
( PK ,  SK)  G  VIC  x  SIC.  When  it  is  clear  from  the  context  which  stegosystem 
we  are  referring  to,  we  will  abbreviate  S. Generate  by  SG. 

•  tS.SigGen  (abbreviated  SSG  when  S  is  clear  from  the  context)  takes  as  input 
a  security  parameter  lk  and  generates  a  key  pair  (SVK,SSK)  G  SVIC  x  SSIC. 

•  S. Encode  (abbreviated  SE  when  S  is  clear  from  the  context)  takes  as  input  a 
public  key  PK  G  VIC,  a  stegosigning  key  SSK  G  SSIC,  a  string  m  G  {0, 1}* 
(the  hiddentext ),  and  a  message  history  h.  As  with  the  symmetric  case,  we  will 
also  assume  for  our  feasibility  results  that  SE  has  access  to  a  channel  oracle  for 
some  channel  C,  which  can  sample  from  Ch  for  any  h. 
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SE(PK ,  SSK ,  m,  h)  returns  a  sequence  of  documents  si,  s2,  ■  ■  ■  ,si  (the  stego- 
text)  from  the  support  of  Clh. 

•  S. Decode  (abbreviated  SD)  takes  as  input  a  secret  key  SK  G  5/C,  a  stegoverifi- 
cation  key  SVK,  a  sequence  of  documents  si,s2, . . .  ,  si,  and  a  message  history 
h. 

SD(SK,  SVK,  s,  h )  returns  a  hiddentext  m  G  {0, 1}*  or  _L. 

Of  course,  we  will  also  require  that  an  authenticated  stegosystem  is  correct: 

Definition  5.27.  (Correctness)  An  authenticated  stegosystem  S  is  correct  if  for  every 
polynomial  p(k)  there  exists  a  negligible  u(k)  such  that 

Vm  G  {0,  l}p(fc),  h  E  D*  :  Pr [SD(SK,  SVK,  SE(PK,  SSK,  m,  h),  h)  =  m\>  1  -  n(k) 

where  the  probability  is  over  the  choices  (. PK,SK )  SG( lk),  (SVK,  SSK)  <— 

SSG(lk),  and  any  coin  tosses  of  SE,  SD,  SG,  SSG  and  the  oracle  to  Ch- 

We  will  model  an  active  warden  attacking  a  stegosystem  as  an  efficient  oracle 
machine  which  plays  the  following  oracle-distinguishing  game: 

1 .  W  is  given  access  to  an  oracle  which  samples  documents  from  the  marginal 
channel  distributions  Ca^b,Ii  for  any  history  h.  (This  oracle  allows  W  to  learn 
the  covertext  distribution  on  all  communications.) 

2.  W  is  given  access  to  a  second  oracle  which  is  either  5Tatk  or  CTatk.  The  oracle 
ST  (for  StegoText)  will  model  the  case  in  which  the  pair  Alice  and  Bob  are  com¬ 
municating  steganographically,  while  the  oracle  CT  (for  Cover  Text)  will  model 
the  case  in  which  they  are  not.  The  exact  distributions  over  STatk,  CTatk  vary 
depending  on  the  attack  model,  atk.  Below  we  will  specify  these  distributions 
for  atk  G  {cxo,  csa}.  Both  oracles  respond  to  the  null  query  with  the  public  and 
verification  keys  generated  by  SG  and  SSG. 

3.  In  the  end,  W  outputs  a  bit. 
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We  define  the  advantage  of  W  against  stegosystem  S  over  channel  C  in  attack  model 
atk  by 

Advyc,w(fc)  =  \Pr[WST^(lk)  =  1]  -  Pr[WCT^(lk)  =  1]|  , 

where  the  warden  uses  random  bits  r  and  the  probabilities  are  also  taken  over  the 
oracles.  Define  the  insecurity  of  S  over  channel  C  by 

InSecg  (f,  q,  l,  k )  =  ^  max  ^  (Advg^fc)}  , 

where  W(t,  q,  l )  denotes  the  set  of  all  adversaries  which  make  at  most  q  oracle  queries 
totaling  at  most  l  bits,  and  running  in  time  at  most  t. 

Definition  5.28.  (Steganographic  secrecy)  A  Stegosystem  S  is  called  ( t,q,l,k,e )- 
steganographically  secret  against  atk  (SS-ATK)  for  the  channel  C  if  InSeCg£(t,  q,  l,  k )  < 
e. 


For  the  next  construction,  we  will  require  the  notion  of  a  digital  signature  scheme 
that  is  existentially  unforgeable  under  chosen  message  attack: 

Existentially  Unforgeable  Digital  Signature  Schemes. 

A  digital  signature  scheme  SQ  is  a  triple  of  probabilistic  algorithms: 

•  SQ. Generate:  takes  as  input  a  security  parameter  lk  and  returns  a  key  pair 
(VK,  SK ). 

•  St/. Sign:  takes  as  input  a  signing  key  SK  and  a  message  m  and  outputs  a 
signature  a. 

•  SQ  .Verity,  takes  as  input  a  verification  key  VK,  a  message  m,  and  a  signature 
u  and  outputs  a  bit. 

A  signature  scheme  is  sound  if  V(VK,m,  S(SK,m))  =  1  for  all  m  and  ( SK,VK )  e 
[G(lfc)]. 

Consider  the  following  game  that  an  adversary  A  plays  against  SQ:  the  adversary 
A  is  given  VK  and  oracle  access  to  Ssk,  where  (SK,  VK)  <—  G(lk).  A  makes  q  oracle 
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queries  of  at  most  l  bits  to  get  back  {Ssk(Mi),  ...,  SsK{Mq)} .  A  then  outputs  a  pair 
(M,  gm)-  A  wins  if  M  f  {Mi, Mq}  and  V(VK,M,ctm)  =  1- 

Denote  the  event  of  A  winning  the  game  by  winA,sg{k)i  Let  A(t,q,l )  be  the  set 
of  adversaries  A  which  make  q  queries  to  the  oracle  of  at  most  l  bits  and  run  for  t 
time  steps.  Define  the  EUF-CMA  advantage  of  A  against  SQ  as 

Adv^mJe(fc)  =  Pr [winA,sg(k)\  . 

Define  the  insecurity  of  SQ  as 

InSec csmga(t,q,l,k)  =  ^  max  ^  (Adv^A(/c)}  . 

We  say  that  SQ  is  (t,  q,  l,  k,e)- existentially  unforgeable  wider  chosen  message  attack 
if  InSec^ga(t,  q,  l ,  k)  <  e.  SQ  is  called  existentially  unforgeable  under  chosen  message 
attack  (EUF-CMA)  if  for  every  PPT  A,  Adv^aA(k)  is  negligible  in  k.  We  note  that 
EUF-CMA  signature  schemes  exist  if  and  only  if  one-way  functions  exist [47, 55].. 

Chosen  Exactly-One  Attack  (CXO). 

In  a  chosen  exactly-one  attack,  Ward  may  both  submit  hiddentexts  to  Alice  for  en¬ 
coding,  and  submit  stegotexts  to  Bob  for  decoding,  but  he  is  prohibited  from  accessing 
both  at  the  same  time  (i.e.,  with  the  same  history).  This  models  a  scenario  in  which 
Ward  can  inject  messages  onto  a  network,  but  cannot  replace  them;  for  example,  this 
may  be  the  situation  if  he  is  connected  to  the  same  shared  access  network  as  Bob, 
but  does  not  control  the  medium.  As  in  all  of  our  attack  models,  Ward’s  goal  is  to 
determine  whether  the  specific  pair  of  Alice  and  Bob  are  communicating  stegano- 
graphically  rather  than  whether  Alice  or  Bob  are  using  steganography  at  all.  In  the 
case  that  Ward  asks  Bob  to  decode  stegotexts,  his  goal  is  to  detect  whether  Bob  is  re¬ 
ceiving  steganography  from  Alice  by  watching  Bob’s  reaction  to  stegotexts  (allegedly 
from  Alice)  generated  by  Ward  himself.  If  Bob  is  not  receiving  steganography  from 
Alice,  he  will  always  output  the  distinguished  message  _L,  meaning  “no  reaction.”  If 
Bob  is  receiving  steganography  from  Alice,  he  will  decode  the  stegotexts. 

We  formally  define  the  oracle  distributions  STcxo,  CTcxo  as  follows:  First,  draw 
(PK,  SK )  SG( lfc),  and  set  0  =  {}.  Respond  to  queries  using  these  programs: 
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CTcxo(b  G  {enc,  dec},  m,  h ) 
if  (b  =  enc)  then: 
o  i  r\SE(PK,m,h)\ 

Sample  s  <—  Ch 
Set  0  =  0  U  {h} 
return  s 
else 

If  h  G  0  return  £ 
else  return  _L 

Note  that  InSec^(t, /, /c)  <  InSeCgx£(f,  1, /,  k),  since  any  CHA  warden  can  be  emu¬ 
lated  by  a  CXO  warden  making  only  (enc,  m,  h)-queries. 

SS-CXO  is  the  strongest  notion  of  security  that  we  are  able  to  achieve  in  the  stan¬ 
dard  model.  Since  any  stegotext  encoded  by  Alice  can  be  thought  of  as  a  “challenge 
stegotext,”  (Ward’s  goal  is  only  to  detect  that  it  is,  in  fact,  a  stegotext  rather  than 
a  covertext)  this  condition  is  somewhat  analogous  to  non-adaptive  chosen  ciphertext 
security  (IND-CCA1)  for  public-key  encryption. 

Let  SQ  =  ( Gs,S,V )  be  a  EUF-CMA  secure  signature  scheme,  with  signature  key 
Kg  and  verification  key  Ky,  and  let  £  =  (G,  E ,  D)  be  a  INDS-CPA  encryption  scheme 
with  public  key  PK  and  secret  key  SK.  Let  t  be  the  expansion  function  of  £  and 
let  ta  be  the  length  of  signatures  generated  by  SQ.  Then  the  following  construction 
yields  a  SS-CXO  secure  stegosystem  from  Alice  to  Bob,  when  Alice  knows  PK,  Kg  and 
Bob  knows  SK,  Ky.  Assume  also  that  all  keys  are  generated  with  security  parameter 
k. 

Construction  5.29.  (Chosen  Exactly-One  Security) 


STcxo(b  G  (enc,  dec},  m,  h ) 
if  (b  =  enc)  then: 

Sample  s  <—  SE(PK,  m,  h ) 
Set  0  =  0  U  {/r} 
return  s 
else 

If  h  G  0  return  e 

else  return  SD(SK,  m,  h ) 


Procedure  CXCLEncode: 

Input:  m,  h ,  PK,  Kg 
Let  c  =  EpK(m,  SKs(h,  m)) 

Output:  Basic_Encode(c,  h,  k) 


Procedure  CXCLDecode: 

Input:  si, . . .  ,  si,  h,  SK,  Ky 
Let  c  =  Basic_Decode(si, ...  ,  si) 

Let  ( m,<7 )  =  Dsk(c) 

If  V (Kv,  ( h ,  m),  a)  =  0  then  set  m  =_!_ 

Output:  m 


Theorem  5.30.  Assume  f  is  e-biased  on  Ch  for  all  h.  Then 


InSec^xo iC(t,  q,  l,  k)  <  InSec +  0(kl ),  q ,  l,  k ) 

+  InSec^.pa(t  +  OQkl ),  q,  l  +  qic,  k)  +  £(l  +  qla)e  . 
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Proof.  Informally,  we  will  consider  the  hybrid  oracle  H  which  answers  encoding 
queries  using  CXCLEncode  and  answers  all  decoding  queries  with  _L.  Distinguish¬ 
ing  this  hybrid  from  STcxo  equates  to  distinguishing  CXCLDecode  from  the  constant 
oracle  _L  on  some  history  h  for  which  no  query  of  the  form  (enc,  *,  h)  has  been  made. 
This  can  only  happen  if  a  decoding  query  contains  a  signature  on  a  (m,  h)  pair  which 
was  never  signed  by  CXCLEncode  (because  no  encoding  queries  were  ever  made  with 
the  history  h).  So,  intuitively,  distinguishing  between  H  and  STcxo  requires  forging 
a  signature.  Similarly,  since  both  H  and  CTcxo  answer  all  dec  queries  by  _L,  distin¬ 
guishing  between  them  amounts  to  a  chosen-hiddentext  attack,  which  by  Lemma  4.10 
would  give  an  IND$-CPA  attacker  for  £.  The  result  follows  by  the  triangle  inequality. 

More  formally,  Let  W  G  W(t,  q,  /).  We  will  show  that  W  must  either  forge  a 
signature  or  distinguish  the  output  of  E  from  random  bits.  We  will  abuse  notation 
slightly  and  denote  WSTcm  by  WSE,SD,  and  WCTc xo  by  Wc,±.  Then  we  have  that 

Adv™CiW(*;)  =  |Pr[U'SE'OT  =  1]  -  Pi[Wc,±  =  1]|  . 

Consider  the  “hybrid”  distribution  which  results  by  answering  encoding  queries  using 
CX0_Encode  but  answering  all  decoding  queries  with  _L.  (We  denote  this  oracle  by 

(SE,±)) 

We  construct  a  EUF-CMA  adversary  A f  which  works  as  follows:  given  Ky,  and 
a  signing  oracle  for  Kg,  choose  (PK,SK)  <—  Ge( lfc);  use  the  signing  oracle  and 
Epk,  Dsk  to  emulate  CXCLEncode  and  CXCLDecode  to  W.  If  W  ever  makes  a  query 
to  CXCLDecode  which  does  not  return  _L  then  A f  halts  and  returns  the  corresponding 
((m,  h),  a)  pair,  otherwise  A /  runs  until  W  halts  and  returns  (0,  0).  If  we  let  F  denote 
the  event  that  WSE,SD  submits  a  valid  decoding  query  to  CXCLDecode,  then  we  have 
that  Adv^iW)(A,)  =  Pr[F], 

We  also  construct  a  IND$-CPA  adversary  A (i  which  works  as  follows:  given  an  en¬ 
cryption  oracle,  choose  (Kg,  Ky)  <—  Gs(lk),  use  Kg  and  the  encryption  oracle  to  em¬ 
ulate  CX0_Encode  to  W,  and  respond  to  any  decoding  queries  with  _L.  A  a  returns  the 
output  of  W.  Note  that  Adv^pa(A d)  +£(l  +  q£a)e  >  |Pr[W5'E’-L  =  1]  —  Pr \WCX  =  1] | , 
which  follows  from  Theorem  4.11. 
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Then  we  have  the  following  inequalities: 


Adv 


CXO 

CXO  ,C,W 


=  \Pt[Wse’sd 

<  |Pr  [WSE’SD 
+  |Pr  [WSE'X 

<  |Pr  {WSE’SD 


=  1]  -  Pr[Wc'±  =  1]| 

=  1]  -  Pr[WSE’E  =  1]| 

=  1]  -Pr  [Wc^  =  1]| 

=  1]  -  Pr [WSE’E  =  1]  |  +  AdvcEpa(Ad)  +  t(l  +  qQe 
(A  f)  +  Adv^pa(Ad)  +  £(l  +  q£a)e 


Where  the  last  line  follows  because  (let  D  denote  the  event  WSE'SD  =  1,  and  notice 
that  D\F  =  Wse’±  =  1): 

\Pt[D]  -  Pr [WSE’E  =  1]|  =  |Pr[D|F]  Pr[F]  +  Pr[D\F\  Pr[F]  -  (Pr [WSE'E  =  1])| 

=  |Pr[D|F]  Pr[F]  +  Pr [WSE’E  =  1](1  -  Pr[F]) 

-  (Pr [WSE’E  =  1])| 

=  |Pr[F](Pr[L>|F]  -  Pr[D|F])| 

<  Pr[F] 

=  Adv^,sy)(A/) 

The  theorem  follows  by  the  definition  of  insecurity,  since  both  A^  and  Aj  run  in  time 
at  most  t  +  0{kl).  □ 

Chosen-Stegotext  Attacks 

We  now  introduce  a  security  condition  analogous  to  adaptive  chosen  ciphertext  se¬ 
curity  for  encryption  schemes  (IND-CCA2),  SS-CSA.  We  will  construct  a  stegosystem 
which  is  SS-CSA-secure  in  the  Random  Oracle  model,  for  any  channel  which  is  effi¬ 
ciently  sampleable:  that  is,  for  which  there  exists  a  PPT  C  such  that  for  all  h ,  C(/r;  Uf) 
and  Ch  are  indistinguishable. 

We  formally  define  the  oracle  distributions  STcsa,  CTcsa  as  follows:  First,  draw 
(P/l,  SK )  SG(lk),  and  set  0  =  {}.  Respond  to  queries  using  these  programs: 
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CTcsa  ( b  G  {enc,  dec},  m,  h) 
if(b  =  enc)  then: 
c  ,  r\SE(PK,m,h)\ 

Sample  s  <—  Ch 
Set  0  =  0  U  {(s,  h)} 
return  s 
else 

If  (m,  h)  G  0  return  £ 
else  return  _L 

Thus,  in  a  chosen-stegotext  attack,  Ward  may  ask  Alice  to  encode  any  (message, 
history)  pair  of  his  choosing,  as  often  as  he  likes,  and  may  query  Bob  on  any  pair 
(s,  h)  where  s  was  not  a  result  of  an  encoding  query  for  history  h.  Notice  that  if 
Ward  can  ask  Bob  to  decode  any  message  output  by  Alice  for  the  same  history  it 
was  encoded  with,  he  can  detect  the  use  of  steganography  between  Alice  and  Bob; 
this  is  why  we  do  not  allow  Ward  to  query  Bob  on  such  stegotexts.  This  restriction 
is  roughly  analogous  to  the  standard  restriction  that  an  adaptive  chosen-ciphertext 
attacker  may  not  query  his  decryption  oracle  on  the  challenge  ciphertext.  Advantage 
and  insecurity  for  SS-CSA  are  defined  analogously  to  SS-CXO.  except  that  we  count 
encoding  and  decoding  queries  separately  (as  qe  and  q(])  as  well  as  counting  the  number 
of  queries  made  to  random  oracles. 


5Tcsa  ( b  G  {enc,  dec},  m,  h) 
if(b  =  enc)  then: 

Sample  s  SE(PK,  m,  h ) 
Set  0  =  0  U  {(s,  h)} 
return  s 
else 

If  (m,  h)  G  0  return  £ 
else  return  SD(SK ,  m,  h) 


Construction. 

We  assume  that  tta^b  are  elements  of  trapdoor  one-way  permutation  family  Ilfc, 
where  Alice  knows  ti^1  and  Bob  knows  7r ~b1.  In  addition,  we  assume  all  parties  have 
access  to  random  oracles  F  :  {0, 1}*  — ■>  {0,  l}fc,  G  :  {0, 1}*  — >  {0,  l}fc,  Hi  :  {0,  l}fc  — > 
{0,1}*,  and  H2  :  {0,1}*  — >  {0,  l}fc.  The  following  construction  slightly  modifies 
techniques  from  [9],  using  the  random  oracles  H\  and  H2  with  ttb  to  construct  a 
pseudorandom  non-malleable  encryption  scheme  and  the  oracle  F  in  conjunction  with 
tta  to  construct  a  strongly  unforgeable  signature  scheme. 

Construction  5.31.  (Chosen  Stegotext  Security) 
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Procedure  CSA_Encodef  ,G’H: 

Procedure  CSA_Decodei'’G,ii : 

Input:  mi  •  •  •  mg,  h,  A^1,  ttb 

Input:  si, . . .  ,sh  h,  nA, 

Choose  r  <—  Uk 

Let  c  =  Basic_Decode(si, ...  ,S{) 

Let  a  =  7 r^1(F(r,  m,  h )) 

Parse  c  as  y\\e  t. 

Let  e  =  Hi(r)  ©  (m,  a) 

Set  r  =  7T ^(y). 

Let  r  =  H2(r,  m,  h ) 

If  s  7^  UEncodeG(c,  r,  h)  return  _L. 

Let  y  =  7 TB(r) 

Let  (m,  a)  =  e  ©  H\{r) 

Let  c  =  y  e  t 

If  r  ^  //2(r,  m,  h)  return  _L. 

Output:  UEncodeG(c,  r,  h ) 

If  7T^(cr)  7^  F(r,m,  h )  return  _L. 

Output:  m 

Procedure  UEncode6: 

Input:  c  G  {0, 1}*,  r  G  {0,  l}fc,  h 
for  i  —  1 ...  I  do 
Let  j  —  0 
repeat: 

set  Si  =  C (h;G(h,r,c,j)) 
increment  j 

until  f(si)  =  Ci  OR  (j  >  k) 
set  h  =  (. h ,  Si) 

Output:  S 1,  s2, . . .  ,  s* 

Theorem  5.32.  If  f  is  e -biased  for  C ,  then 

InSeCcSsaA  C(t,  q,  l,  k )  <  (2 qe  +  gF)InSec°w(t',  k)  +  (l  +  3 qek)e  +  (q2e  +  2qd)/2k  , 

where  t?  <  t  +  (qc;  +  qF  +  tei  +  QH2)(Qe  +  +  fc(/  +  3qek)Tc,  T R  is  the  time  to 

evaluate  members  ofn,  and  Tc  is  the  running  time  of  C. 


Proof.  Intuitively,  this  stegosystem  is  secure  because  the  encryption  scheme  employed 
is  non-malleable,  the  signature  scheme  is  strongly  unforgeable,  and  each  triple  of 
hiddentext,  history,  and  random-bits  has  a  unique  valid  stegotext,  which  contains  a 
signature  on  (m,  h,  r).  Thus  any  adversary  making  a  valid  decoding  query  which  was 
not  the  result  of  an  encoding  query  can  be  used  to  forge  a  signature  for  Alice  —  that 
is,  invert  the  one-way  permutation  n a- 

We  define  the  following  sequence  of  hybrid  oracle  distributions: 

1.  P0 (b,  m,h)  =  CTcsa,  the  covertext  oracle. 

2.  PI (b,m,  h)  responds  to  dec  queries  as  in  P0,  and  responds  to  enc  queries  using 
CSA_Encodei';G,'ff  but  with  calls  to  UEncode6’  replaced  by  calls  to  Basic_Encode. 
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3.  P2 (b,m,  h )  responds  to  dec  queries  as  in  PI,  and  responds  to  enc  queries  using 
CSA_EncodeF’G’^. 

4.  P3 (b,m,  h )  =  5Tcsa,  the  stegotext  oracle. 

We  are  given  a  CSA  attacker  W  G  W(f,  qe ,  q d,  qF,  qn ,  qnx ,  <Af/2,  0  and  wish  to  bound 
his  advantage.  Notice  that 

Adv«  c,w(fc)  <  |  Pr[WP0(lk)  =  1]  -  Pr[Wpl(lfc)]|  + 

|  Pr[Wpl(lfc)  =  1]  -  Pr[WP2(lfc)  =  1]|  + 

|  Pr[WP2(lfc)  =  1]  -  Pr[WP3(lfc)  =  1] |  . 

Hence,  we  can  bound  the  advantage  of  W  by  the  sum  of  its  advantages  in  distin¬ 
guishing  the  successive  hybrids.  For  hybrids  P,  Q  we  will  denote  this  advantage  by 
AdvPQ(fc)  =  |  Pr[Wp(lfc)  =  1]  -  Pr[WQ(lfc)  =  1]|. 

Lemma  5.33.  Adv^,pl(A;)  <  qeInSec™(tf  k)  +  2~k(q2e/2  —  qe/2)  +  (/  +  3 qek)e 

Proof.  Assume  WLOG  that  Pr[hFpl(lfc)  =  1]  >  Pr[bFP0(lfc)  =  1],  Let  Er  denote  the 
event  that,  when  W  queries  PI,  the  random  value  r  never  repeats,  and  let  Eq  denote 
the  event  that  W  never  makes  random  oracle  queries  of  the  form  H\{r)  or  //2(r,  *,  *) 
for  an  r  used  by  CSA_Encodep,G,if,  and  let  E  =  Er  A  Eq.  Then: 

Advp?'pl(A;)  =  Pr[Wpl(lfc)  =  1]  -  Pr[WP0(lfc)  =  1] 

=  Pr[Wpl(lfc)  =  1\E](1  -  Pr \E})  +  Pr[WF1(lk)  =  1| E]  Pr [E] 

-  Pr[WP0(lfc)  =  1] 

=  Pr[£]  (Pr[Wpl(lfc)  =  1| E]  -  Pr[Wpl(lfc)  =  1| E}) 

+  (Pr[Wpl(lfc)  =  1| E\  -  Pr[WP0(lfc)  =  1]) 

<  Pr [E]  +  (l  +  3 qek)e 

<  Pr [Er]  +  Pr [Eq]  +  (7  +  3 qek)e 

<  2~fcge(ge2~  1}  +  Pr[Eq}  +  (/  +  3 qek)e  , 
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because  if  r  never  repeats  and  W  never  queries  Hi{r)  or  H2 (r,  *,  *)  for  some  r  used 
by  CSA_Encodei',G'’iQ  then  W  cannot  distinguish  between  the  ciphertexts  passed  to 
Basic_Encode  and  random  bit  strings. 

It  remains  to  bound  Pr [Eg\.  Given  W  G  W(i,  qe,  q<i,  Qf,  Qg,  Qh2J)  we  con¬ 
struct  a  one-way  permutation  adversary  A  against  ttb  which  is  given  a  value  7 tb(x) 
and  uses  W  in  an  attempt  to  find  x,  so  that  A  succeeds  with  probability  at  least 
(1  /qe)  Pr [Eq\.  A  picks  (7 ta,  tt^1)  from  hi*,  and  i  uniformly  from  {1, . . .  ,  qe},  and  then 
runs  W  answering  all  its  oracle  queries  as  follows: 

•  enc  queries  are  answered  as  follows:  on  query  j  ^  i ,  respond  using  the  program 

for  CSA_Encodei’'G,i?  with  calls  to  UEncodeG  replaced  by  calls  to  Basic_Encode. 
On  the  t-th  query  respond  with  s  =  Basic_Encode(7TS(a;)||ei||r1,  h )  where  e\  = 
h\  ©  and  hi,ai,Ti  are  chosen  uniformly  at  random  from  the  set  of  all 

strings  of  the  appropriate  length  (|ei|  =  \m\  +  k  and  \t\  =  k ),  and  set  (f)  = 

</>U  {(s,  h)}. 

•  dec  queries  are  answered  using  CTcsa. 

•  Queries  to  G,  F,  Hi  and  H2  are  answered  in  the  standard  manner:  if  the  query 
has  been  made  before,  answer  with  the  same  answer,  and  if  the  query  has  not 
been  made  before,  answer  with  a  uniformly  chosen  string  of  the  appropriate 
length.  If  a  query  contains  a  value  r  for  which  7 tb(t)  =  7 tb(x),  halt  the  simula¬ 
tion  and  output  r. 

It  should  be  clear  that  Pr  [A  (ttb{x))  —  x]  >  ^-(Pr^]).  □ 

Lemma  5.34.  Ad v^,P2(/c)  <  geInSeCnW(t',  k )  +  2~k(q^/2  —  qe/2 ) 

Proof.  Assume  WLOG  that  Pr[bPP2(lfc)  =  1]  >  Pr[bPpl(lfc)  =  1],  Denote  by  Er  the 
event  that,  when  answering  queries  for  W,  the  random  value  r  of  CSA_Encodei’'G,p 
never  repeats,  and  by  Eq  the  event  that  W  never  queries  G(*,r,  7Ts(r)||*,  *)  for  some 
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r  used  by  CSA_EncodePG,p\  and  let  E  =  Er  A  Eq.  Then: 

Adv^'P2(/c)  =  Pr[ITP2(lfc)  =  1]  -  Pr|Wpl(lfc)  =  1] 

=  (Pr[ITP2(lfc)  =  1\E\  Pt[E]  +  Pr[hPP2(lfc)  =  1| E]  Pr[£]) 

-  (Pr[hPpl(lfc)  =  1| E]  Pr[£]  +  Pr[bPpl(lfc)  =  1| E\  Pr[£]) 

=  Pt[E\  (Pr[ITP2(lfc)  =  1\E\  -  Pr[Wpl(lk)  =  1| E]) 

<  Pr[E] 

<2-kqe(qe~  V  +Pr\~Eq] 

Given  W  G  W(t,  qe ,  q d,  qFi  <?g ,  ton  0  we  construct  a  one-way  permutation  adver¬ 

sary  A  against  ^ tb  which  is  given  a  value  tt b(x)  and  uses  W  in  an  attempt  to  hnd 
x.  A  picks  (7 fr°m  nfc  and  i  uniformly  from  {1, . . .  ,qB},  and  then  runs  W 
answering  all  its  oracle  queries  as  follows: 

•  enc  queries  are  answered  as  follows:  on  query  j  7^  i,  respond  according  to 
CSA_EncodePG,p .  On  the  ith  query  respond  by  computing 

s  =  UEncodeG(7TB(a;)||ei||ri,ri,  h )  , 

where  e\  =  hi  ©  (m,ai)  and  hi,ai,Ti,ri  are  chosen  uniformly  at  random  from 
the  set  of  all  strings  of  the  appropriate  length  (|ei|  =  \m\  +  k  and  |ri|  =  k),  and 
set  <f>  =  (j)  U  {(s,  h)}. 

•  dec  queries  are  answered  using  CTcsa. 

•  Queries  to  G,  F,  Hi  and  H 2  are  answered  in  the  standard  manner:  if  the  query 
has  been  made  before,  answer  with  the  same  answer,  and  if  the  query  has  not 
been  made  before,  answer  with  a  uniformly  chosen  string  of  the  appropriate 
length.  If  a  query  contains  a  value  r  for  which  7 Ts(r)  =  7 Tb(x),  halt  the  simula¬ 
tion  and  output  r. 

It  should  be  clear  that  Pr[A(7rs(x))  =  x]  >  A(pr[Eg]).  □ 

Lemma  5.35.  Adv^2,P3(/c)  <  gylnSec^t',  k)  +  qd/2k~l  +  qe/ 2k 


103 


Proof.  Given  W  G  W(i,  qe ,  qci:  Qf,  Qg,  (lHt ,  qH2i  0  we  construct  a  one-way  permutation 
adversary  A  against  71.4  which  is  given  a  value  774(3:)  and  uses  IF  in  an  attempt  to 
find  x.  A  chooses  (7 tb,  from  IF  and  i  uniformly  from  {1, . . .  ,  qp},  and  then  runs 

W  answering  all  its  oracle  queries  as  follows: 

•  enc  queries  are  answered  using  CSA_EncodeGG,//  except  that  cr  is  chosen  at 
random  and  F(r,m,  h )  is  set  to  be  774(17).  If  F(r,m,  h )  was  already  set,  fail  the 
simulation. 

•  dec  queries  are  answered  using  CSAJDecode^’0’^,  with  the  additional  constraint 
that  we  reject  any  stegotext  for  which  there  hasn’t  been  an  oracle  query  of  the 
form  //2(h  m,  h )  or  F(r,  m,  h ). 

•  Queries  to  G,  F,  Hi  and  H2  are  answered  in  the  standard  manner  (if  the  query 
has  been  made  before,  answer  with  the  same  answer,  and  if  the  query  has  not 
been  made  before,  answer  with  a  uniformly  chosen  string  of  the  appropriate 
length)  except  that  the  i-th  query  to  F  is  answered  using  fa{x). 

A  then  searches  all  the  queries  that  W  made  to  the  decryption  oracle  for  a  value  a 
such  that  7 ta{ct)  =  tta(x).  This  completes  the  description  of  A. 

Notice  that  the  simulation  has  a  small  chance  of  failure:  at  most  qej 2k.  For  the 
rest  of  the  proof,  we  assume  that  the  simulation  doesn’t  fail.  Let  E  be  the  event  that 
W  makes  a  decryption  query  that  is  rejected  in  the  simulation,  but  would  not  have 
been  rejected  by  the  standard  CSA_Decodei,'G’'f/.  It  is  easy  to  see  that  Pr  [E]  <  qd/2k~1. 
Since  the  only  way  to  differentiate  P3  from  P2  is  by  making  a  decryption  query  that 
P3  accepts  but  P2  rejects,  and,  conditioned  on  E,  this  can  only  happen  by  inverting 
7T4  on  a  some  F(r,  m,  h),  we  have  that: 

Ad v^,P3(/c)  <  gFInSeCnW(t',  k)  +  qd/2k~1  +  qe/2k 


□ 
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The  theorem  follows,  because: 


InSec cS\}C(t,q,l,k)  <  Ad ^c,wmax(k) 

<  Ad vP0'pl(£;)  +  Ad vp^p2(k)  +  Ad v^P3(k) 

2 

<  geInSeCnW(t',  k)  +  g^fc+ge  +(l  +  3 qek)e  +  Adv^'P3(A;) 

<  2geInSeCnW(t',  k )  +  2 ~k\q2e  -  qe)  +  (/  +  3 qek)e  +  Adv^’P3(/c) 

<  (2ge  +  gir)InSeCnW(t',  k)  +  2~k(q2e  +  2 qd)  +  (/  +  3 qek)e 

□ 

We  conjecture  that  the  cryptographic  assumptions  used  here  can  be  weakened;  in 
particular,  a  random  oracle  is  not  necessary  given  a  public-key  encryption  scheme 
which  satisfies  IND$-CPA  and  is  non- malleable,  and  a  signature  scheme  which  is 
strongly  unforgeable.  However,  we  are  unaware  of  an  encryption  scheme  in  the  stan¬ 
dard  model  satisfying  this  requirement:  nonmalleable  encryption  schemes  following 
the  Naor-Yung  paradigm  [23,42,48,56]  are  easily  distinguishable  from  random  bits, 
and  the  schemes  of  Cramer  and  Shoup  [20,  21]  all  seem  to  generate  ciphertexts  which 
are  elements  of  recognizable  subgroups.  Furthermore,  it  seems  challenging  to  prevent 
our  motivating  attack  without  assuming  the  ability  to  efficiently  sample  the  channel. 


5.3  Relationship  between  robustness  and  integrity 

In  this  section,  we  define  the  notion  of  a  nontrivial  relation  R  and  show  that  if  a 
stegosystem  is  substitution  robust  with  respect  to  any  nontrivial  R  then  it  is  inse¬ 
cure  against  both  chosen-covertext  and  chosen-stegotext  attacks.  This  result  implies 
that  no  stegosystem  can  be  simultaneously  (nontrivially)  secure  against  disrupting  and 
distinguishing  active  adversaries. 

We  first  must  define  what  makes  an  admissible  bounding  relation  R  nontrivial. 
Suppose  R  is  efficiently  computable  but  has  the  property  that  for  every  efficient  A, 

Pr  \d'  =  A(  lfc,  d)Ad'^dA  (d,  d')  E  R] 
d<^-ChA 
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is  negligible.  Then  any  steganographically  secret  stegosystem  is  trivially  robust 
against  R ,  because  no  efficient  adversary  can  produce  a  related  stegotext  sw  ^  & 
(except  with  negligible  probability)  in  the  substitution  attack  game;  and  thus  the  de¬ 
coding  of  sw  will  be  s,  except  with  negligible  probability.  Thus  in  order  for  robustness 
of  a  stegosystem  to  be  “interesting”  we  will  require  that  this  is  not  the  case. 

Definition  5.36.  If  R  is  admissible  for  C  then  R  is  p- nontrivial  for  C  if  there  is  a 
PPT  A  and  a  history  /iA  such  that 

Pr  [d!  =  A(lfc,  d)Ad'^dA  (d,  d’)  G  R]  >  p(k)  . 

d*—ChA 

We  say  that  R  is  non-trivial  for  C  if  it  is  p(fc)-nontrivial  for  some  p(k )  >  1  /poly(k). 

Suppose  the  stegosystem  S  is  substitution  robust  against  the  nontrivial  relation  R. 
Consider  the  following  attacker  Wa-  XV a  first  selects  a  challenge  hiddentext  mw  Ui 
and  requests  the  encoding  of  mw  under  history  hA •  (In  the  CSA  game,  XV  queries  its 
oracle  with  (enc,  mw ,  hA);  in  the  sCCA  game,  XV a  returns  (mw,  Aa)  as  the  challenge 
ciphertext).  XV a  receives  the  sequence  ai, . . .  ,  at  as  a  response.  ITA  then  computes 
si  =  A(lfc,  (Ti),  attempting  to  find  a  si  7^  ny  such  that  (a±,  si)  G  R.  If  A  is  successful, 
XVa  queries  its  decoding  oracle  on  the  sequence  s  —  si,  <J2,  ■  ■  ■  ,  erg.  If  the  response  to 
this  query  is  mw,  XV a  returns  1,  otherwise  ITA  returns  0. 

Intuitively,  whether  this  attack  is  against  a  CSA  or  sCCA  oracle,  it  has  a  significant 
advantage  because  when  the  sequence  di, . . .  ,  oy  is  a  stegotext,  then  the  response  to 
the  decoding  query  will  be  m  (because  S  is  robust);  but  when  it  is  a  covertext,  the 
probability  of  decoding  to  m  should  be  low  (again  because  S  is  robust).  We  will  now 
formalize  this  intuition. 

Theorem  5.37. 

AdviS  Cj,,/A  ( k )  >  p(k)  —  InSec5)C(tA,  1,1,  k)  —  Fail5  (t A,  0,  0,1,  k)  —  2 
Proof.  Recall  that 

Advggyyfc)  =  Pr[WSD(SE(mw))  =  1]  -  Pr[I VSD(Cl)  =  1]  . 
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Let  us  first  bound  Pr [WSD(Ceh)  =  1].  Recall  that  WSD(a)  =  1  when 

SD(su<T2,  ■■■  Wt)  =  mw  . 

Let  rrig  =  SD(s );  then  since  s  is  chosen  independently  of  rnw,  and  mw  is  chosen 
uniformly  from  {0, 1}Z,  we  have  that  Pr[ms  =  mw]  <  2_z.  Thus 

Vi[WSD{Ci)  =  1]  <  2~l  . 

Let  SR  denote  the  event  that  in  the  sCCA  game  played  against  stegotext,  Si  ^ 
(j i  A  (a i,  Si)  G  R.  Now  notice  that 

Pr [WSD(SE(mw))  =  1]  >  Pr[WSD (SE(mw))  =  l|SR]Pr[SR]  . 

Because  W  returns  1  when  SD(s )  =  mw  and  s  obeys  R ,  we  must  have  that 

Pr[WSD(SE(mw))  ±  1|SR]  <  Fail^(tA,  0,  0,  /,  k)  , 

by  the  definition  of  Fail^  (tA)  0,  0,  /,  k). 

Also,  notice  that  we  can  exhibit  an  efficient  SS-CHA  adversary  Wp  against  S  such 
that 

Adv5,c,wP(>)  >  P(k)  ~  Pr(SR]  • 

Wp  works  by  requesting  the  encoding  of  a  uniformly  chosen  message  m*  Uk  under 
history  hA  to  get  a  sequence  starting  with  a*  G  D;  Wp  then  computes  s*  A(lfc,  a*) 
and  returns  1  if  (s*  ^  a*)  A  (cr*,s*)  G  R.  When  a*  <—  ChA  we  have  by  assumption 
that 

Pr[W’„(  C„J  =  1]  >  p(k)  , 

whereas 

Pr [Wp(SE(m*))  =  1]  =  Pr[SR]  , 

by  construction.  Since  Wp  runs  in  the  time  it  takes  to  run  A  and  makes  1  encoding 
query  of  k  bits,  we  have  that 

InSec :|iC(tA,  1,  /,  k)  >  Ad \sfiiWp{k) 

=  Pr [Wp(ChA)  =  1]  -  Pr [Wp(SE(m*))  =  1] 

>  p{k)  —  Pr[SR] 
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Which  by  rearranging  of  terms  gives  us: 


Pr [SR]  >  p(k)  —  InSecJc(t^,  1,  l,  k )  . 


Combining  these  results,  we  get  that 

Pr [WSD(SE(mw))  =  1]  >  Pr [WSD (SE(mw))  =  l|SR]Pr[SR] 

>  (1  —  Failg  (tA,  0,  0,  /,  k))  Pr[SR] 

>  (1  -  Failf  (fA,  0,  0,  /,  k))(p(k)  -  InSecf)C(tA,  1,  l,  k)) 

>  p(k )  -  InSecJ)C(tA,  1,1,  k)  -  Failf(tA,  0, 0,  l,  k)) 

And  thus  by  definition  of  advantage  and  insecurity,  the  theorem  follows.  □ 

Theorem  5.38. 

Adv?W*0  >  (1  —  Fail^(fA,  0,0,/,  k))(p{k)  —  InSec“c(fA,  1,  l.  k)) 


Proof.  Recall  that 


Adv^A(fc)  =  Pr[VFATcsa(lfe)  =  1]  -  Pr[WZT™(lk)  =  1]  . 


It  is  easy  to  see  that  Pr[hFATcsa(lfc)  =  1]  =  0,  since  querying  CTcsa(enc,  s,  /iA)  will 
always  result  in  _L  or  e,  and  never  mw-  The  lower  bound  for  Pr[hPfTcsa(lfc)  =  1]  is 
proven  identically  to  the  stegotext  case  in  the  previous  proof.  □ 
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Chapter  6 


Maximizing  the  Rate 


Intuitively,  the  rate  of  a  stegosystem  is  the  number  of  bits  of  hiddentext  that  a 
stegosystem  encodes  per  document  of  covertext.  Clearly,  for  practical  use  a  stegosys¬ 
tem  should  have  a  relatively  high  rate,  since  it  may  be  impractical  to  send  many 
documents  to  encode  just  a  few  bits.  Thus  an  important  question  for  steganography, 
first  posed  by  Anderson  and  Petitcolas  [6]  is  “how  much  information  can  be  safely 
encoded  by  a  stegosystem  in  the  channel  C?” 

A  trivial  upper  bound  on  the  rate  of  a  stegosystem  is  log  \D\.  Prior  to  our  work, 
there  were  no  provably  secure  stegosystems,  and  so  there  was  no  known  lower  bound. 
The  rate  of  the  stegosystems  defined  in  the  previous  chapters  is  o(l),  that  is,  as 
the  security  parameter  k  goes  to  infinity,  the  rate  goes  to  0.  In  this  chapter,  we  will 
address  the  question  of  what  the  optimal  rate  is  for  a  (universal)  stegosystem.  We  first 
formalize  the  definition  of  the  rate  of  a  universal  stegosystem.  We  will  then  tighten 
the  trivial  upper  bound  by  giving  a  rate  M AX  such  that  any  universal  stegosystem 
with  rate  exceeding  M AX  is  insecure.  We  will  then  give  a  matching  lower  bound  by 
exhibiting  a  provably  secure  stegosystem  with  rate  (1  —  o(l))MAX.  Finally  we  will 
address  the  question  of  what  rate  a  robust  stegosystem  may  achieve. 
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6.1  Definitions 


We  concern  ourselves  with  the  rate  of  a  universal  blockwise,  bounded-sample,  stegosys- 
tem  with  single-block  lookahead. 

A  universal  stegosystem,  S  accepts  an  oracle  for  the  channel  C  and  is  secure  against 
chosen- hiddentext  attack  with  respect  to  C  as  long  as  C  does  not  violate  the  hardness 
assumptions  S  is  based  on.  Universality  is  important  because  typically  there  is  no 
good  description  of  the  marginal  distributions  on  a  channel. 

A  stegosystem  is  an  ( h ,  l,  A)-blockwise  stegosystem  if  it  is  composed  of  four  func¬ 
tions: 


•  A  preprocessing  function  PE  that  transforms  a  hiddentext  m  G  {0, 1}*  into  a 
sequence  of  identically-sized  blocks  of  A  bits. 

•  A  block  encoding  function  BE  that  encodes  a  block  of  input  bits  into  a  block  of 
l  documents. 

•  A  block  decoding  function  BD  that  inverts  BE ,  that  is,  that  transforms  a  ste- 
gotext  block  into  a  block  of  bits. 

•  A  postprocessing  function  PD  that  inverts  PE:  that  is,  transforms  a  sequence 
of  A-bit  blocks  into  a  hiddentext  m  G  {0, 1}* 

A  blockwise  stegosystem  computes  SE(K,m,h)  by  first  computing  c  =  PE(Kpm), 
then  computing  h0  =  h,  and  S;  =  BE(K,Ci,hi-i),  hi  =  (s;,/q_i).  SD(K,si  .n,h) 
is  computed  by  setting  ct  =  BD(K,  Si,  hi- 1)  for  i  G  { 1 , . . ,  ,  n}  and  computing  m  = 
PD(K,c).  Because  stegotexts  are  compared  to  covertexts  of  the  same  length  as  a 
stegotext,  any  secure  stegosystem  can  be  written  as  a  blockwise  stegosystem  with  a 
single  block. 

A  ( h ,  /,  f) -sample  bounded  stegosystem  uses  /-document  blocks,  draws  at  most  t 
samples  from  Clh  when  encoding  a  block,  and  has  no  other  knowledge  of  Clh.  Since  we 
require  a  stegosystem  to  have  bounded  running  time  and  to  be  universal,  the  running 
time  of  SE(K,m,  h)  is  always  an  upper  bound  on  t.  Conversely,  if  a  stegosystem  is 
/-sample  bounded,  t  is  a  lower  bound  on  the  running  time  of  SE. 
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A  (h,l,  A)-blockwise  stegosystem  has  single-block  lookahead  if  BE(K,c,h)  draws 
samples  only  from  Clh  and  Clhd,  where  d  G  Dl .  Any  stegosystem  with  multi-block 
lookahead  can  be  transformed  into  one  with  single-block  lookahead  with  a  larger 
blocksize. 


The  rate  of  a  stegosystem  S  on  channel  C,  7Zc(S),  is  given  by 


Kc(S) 


lim  Eh 

m—*oo 


m 

\SE(K,  V^)\ 
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that  is,  the  number  of  bits  encoded  per  document  by  S  on  channel  C. 


6.2  Upper  bound 

We  consider  the  class  S(h,l,t)  of  stegosystems  which  draw  at  most  t  samples  from 
Clh ;  we  will  show  two  upper  bounds  on  the  rate  TZc(S)  for  any  S  G  S(h,l,t).  The 
first,  MAXt(S)  is  in  terms  of  the  number  of  samples,  t.  The  second,  MAXc(S)  is 
in  terms  of  the  min  entropy  of  the  channel  C.  We  call  the  combined  upper 

bound  MAXc(h,l,t)  and  define  it  by 

MAXc(h,  l,  t)  =  min  {MAXt(S),  MAXC(S)}  . 

6.2.1  MAXt{S ) 

For  any  stegosystem  S  G  S(h,l,t),  we  will  show  that  there  exists  a  channel  C  such 
that  S  is  insecure  relative  to  C  if  7 Zq(S)  —  logf  is  any  positive  constant.  Thus  it 
follows  that  MAXf(S)  <  log  t. 

Theorem  6.1. 


InSecf ;c(0(t  +  k),  1,  k)  >  1  -  2~c(t’fc)  -  2~k  -  p(k )  , 

where  p(k )  =  Pvm<-u,K,h[S D(K,  SE(K ,  m,  h ),  h )  ^  m\  and  IZc(S)  >  log  t  +  c(t,  k ). 

Proof.  The  channel  C  is  defined  as  follows:  to  every  history  h  of  length  k,  we  associate 
a  polynomial  of  degree  t  +  1  over  GF( 2k)  with  uniformly  chosen  coefficients,  Ph(x). 


Ill 


To  draw  from  Ch,  we  draw  x  <—  £4,  compute  y  =  Ph(x)  and  output  x\\y.  Notice  that 
if  S.SE(K,m,  h)  draws  at  most  t  samples  (xi,yi), . . .  ,  ( xt,yt )  Ch,  and  outputs  a 
pair  (x',y')  such  that  x'  {x\, . . .  ,xt},  then  Pr [y'  =  Ph(x')\  <  2~k.  On  the  other 
hand,  an  adversary  can  draw  t  + 1  samples  from  Ch,  and  compute  ph  by  interpolation. 
Thus  when  SE(K,  m,  h )  outputs  a  pair  (V,  y')  qL  {(xi,  y\), . . .  ,  (xt,  yt)},  an  adversary 
can  distinguish  between  SE(m,  h )  and  Ch  by  checking  whether  y'  =  Ph(x'). 

Formally,  we  define  the  adversary  A°  as  follows:  on  input  lk,  sample  a  history  h 
of  length  k  by  drawing  h\  <—  C£,  and  hi  <—  Chu...  X-i  for  1  <  i  <  k.  Draw  t  +  1  samples 
(xi,yi), . . .  ,  (. Xt+i,yt+i )  Ch-  Compute  the  polynomial  ph  by  interpolation.  Choose 
m*  <—  Utic(s),  and  draw  (x*,y*)  <—  0(m*,h).  If  y*  ^  Ph(x*)  output  1,  otherwise 
output  0. 

Clearly,  A  runs  in  time  0(t  +  k).  We  will  now  compute  the  advantage  of  A.  First, 
notice  that  given  a  covertext  oracle,  A  will  always  output  0: 

Pr[ACT(lk)  =  1]  =  0  . 


Now,  let  NS  denote  the  event  that  SE(K,  m,  h )  draws  samples  {x^ ,  y\ ) , . . .  ,  {x\,  y't)  <— 
Ch  and  outputs  a  stegotext  (x*,y*)  {(x^,  y[), . . .  ,(x't,y't)}.  Since  in  this  case, 

Pr [y*  =  Ph(x*)\  <  2~k,  we  have  that 

Pr[A5T(lfc)  =  1]  >  Pr[NS]  -  2~k  . 

Thus  we  only  need  to  give  a  lower  bound  on  Pr[NS]  to  complete  the  proof. 

Fix  a  tuple  (. K,m,h )  and  consider  the  set  SD~^h{m)  —  {s  E  D  :  SD(K,  s,h)  = 
m}.  Since  TZc(S,  h,  k )  >  log  t  +  c(t,  k ),  SD  partitions  D  into  t  x  2c(t,k )  such  sets.  Then 
for  any  hxed  set  of  samples  (x'i,y'i),  the  probability  over  m  that  SE(K,m,h )  has  a 
sample  (xli,y'i)  G  SD~^h(m)  is  at  most  (*fc)  =  2~Ct,k\  Let  E  denote  the  event  that 
SE(K,  m,  h )  outputs  an  s*  such  that  SD(K,  s*,  h )  ^  m.  Then 

Pr[NS]  >  Pr[Vj,  (x',y')  SE^h(m)]  -  Pr[E] 

>  1  -  2-c(t’fc)  -  p(k)  , 


which  yields  the  stated  bound. 


□ 
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6.2.2  MAXc(S) 


We  exhibit  a  chosen-history,  chosen- hiddentext  distinguisher  for  any  black  box  stegosys- 
tem  ( SE,SD )  which  encodes  IZc(S)  >  bits  of  hiddentext  in  /  documents  of 

stegotext  non-negligibly  often. 

Suppose  we  have  a  specific  history  h  such  that  SE  encodes  i  +  1  bits  by  samples 
from  Clh,  and  =  £.  (If  such  histories  occur  non-negligibly  often  then  we  can 

find  one  by  sampling  from  an  oracle  for  SE;  if  they  do  not  then  the  rate  of  the 
stegosystem  doesn’t  exceed  H^Cjf))  Since  H^Cjf)  =  £,  we  know  there  is  at  least  one 
/-document  string,  s*,  which  has  probability  2~£  under  Clh,  and  no  other  string  has 
more  probability  mass  than  s*.  Now,  if  SE  were  deterministic,  then  we  would  have 
that 

Pr [SE(m)  —  s*  m  < —  Ue+1]  <  2~^+1)  , 

by  the  unique  decoding  property.  Even  if  SE  is  randomized,  then  for  any  fixed 
random  bits  r,  we  have 

Pr [SE{m;r)  =  s*  :  m  <-  Ue+1]  <  2”(m)  . 

But  then  by  an  averaging  argument,  there  must  be  some  m*  G  {0, 1  }£+1  such  that 
Pr [SE(m*)  =  s*]  <  2~(e+1\  In  contrast,  a  covertext  oracle  CT  will  have  Pr [CT(m)  = 
s*]  =  2~e,  for  any  m  G  {0, 1}*.  This  gap  is  wide  enough  to  detect  with  high  confidence, 
given  poly( 2e)  chosen  hiddentext  samples.  And  since  we  are  restricted  to  £  =  O(logt) 
by  MAXt(S )  this  yields  a  polynomial-time  distinguisher  between  a  covertext  oracle 
and  a  stegotext  oracle. 

Theorem  6.2.  Let  n  —  2l .  Then, 

InSecf tC(0(n3),  2 n3,  k)  >  1  —  e~n/ 32  -  e"n/96  -  e-n/108  -  2ne.-n/128  , 
when  HooiCfr)  =  i  and  lZc{S)  >1+1. 

Proof.  We  define  an  adversary  W  with  the  stated  advantage.  W°  executes  the  fol¬ 
lowing  steps: 

•  W  takes  n2  samples  from  Clh.  Let  s  be  the  most  commonly  occurring  /-document 
in  the  sample  set  and  let  p  be  the  number  of  times  s  occurs  in  the  sample. 
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•  For  each  document  m  G  {0, 1  }£+1,  W  draws  n 2  samples  from  0{m).  Let  pm  be 
the  number  of  occurrences  of  s  in  the  samples  from  0{m). 

•  If  for  any  m,  pm  <  |p,  W  outputs  1.  Otherwise  W  outputs  0. 

We  will  bound  the  probability  that  W  outputs  1  given  a  stegotext  oracle,  and  a 
covertext  oracle,  respectively. 

From  the  preceding  paragraph,  we  know  that  when  W  has  a  stegotext  oracle, 

there  exists  an  m*  such  that  E[pm*]  <  2~£+1,  and  we  know  that  E[p\  =  2~l.  So  W 

will  only  output  0  if  p  is  much  smaller  then  expected,  or  if  pm*  is  much  larger  than 
expected.  Specifically,  we  have: 

Pr[WST(lfc)  =  0]  =  Pr [p  <  >  ^p]  +  Pr [p  >  ^2~£  Ap™*  >  ‘^p\ 

<  Pr \p  <  ^2_£]  +  Pr [pm.  >  ^p\p  >  ~2~£]  Pr[p  >  ^2~£] 

<  P r[p  <  ^2~£]  +  Pr[pm*  >  ^p\p  >  ^2"£] 

=  Pr[p  <  ^2”£]  +  Pr [pm*  >  ^2”m] 

4  o 

<  e~n/32  +  e~n/96 

Where  the  last  line  follows  by  multiplicative  Chernoff  bounds.  Thus  we  have 

Pr[W5T(lfc)  =  1]  >  1  -  e~n/32  +  e"n/96  . 

We  know  that  when  W  has  a  covertext  oracle,  it  should  be  the  case  that  for  every 

m  G  {0, 1}*,  E[pm\  =  2-h  Thus  W  should  only  output  1  when  p  is  much  larger  than 

expected,  or  some  pm  is  much  smaller  than  its  expectation.  Specihcally,  we  have  that 

7  3  7  3 

Pr\WCT(lk)  =  1]  =  Pr[p  >  -2~e  A  3rn.pm  <  -p]  +  Pr [p  <  -2~£  A  3rn.pm  <  -p] 

6  4  6  4 

<  Pr [P  >  ^2“£]  +  Pr[3m.pm  <  -p\p  <  ^2_£] 

o  4  o 

<  Pr [p  >  ^2”f]  +  2nPr\pm  <  ^2~£] 

0  O 

<  e-n/108  +  2 ne~n/12S 

Where  the  last  two  lines  follow  by  the  union  bound  and  multiplicative  Chernoff 
bounds. 
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Combining  these  bounds,  we  have 

Ad vSw,s,c(k)  =  Pr[WST(lk )  =  1]  -  Pr[WCT(lk)  =  1] 

>  1  -  e~n/32  +  e_n/96  -  e_n/108  +  2ne~n/128 
The  theorem  follows  by  the  definition  of  insecurity.  □ 

We  note  that  for  any  distribution  T>  which  covers  {0, 1}^+1,  W  can  easily  be 
adapted  to  be  a  KHA-2?  attack  against  S;  and  that  W  can  even  be  extended  to 
a  KDA-C/(^+1)n2  attack  against  S  by  counting  the  occurrences  of  s*  for  the  various 
blocks. 

6.2.3  Bidirectional  communication  does  not  help 

Suppose  Alice  and  Bob  wish  to  communicate  steganographically  at  a  high  rate,  using 
a  bidirectional  channel  -  that  is,  Bob  is  allowed  to  respond  to  Alice’s  messages  with 
messages  drawn  from  his  own  channel  distribution.  A  natural  question  is,  “can  Alice 
and  Bob  conspire  to  increase  the  rate  at  which  Alice  may  securely  transmit  informa¬ 
tion  to  Bob?”  We  will  show  that  an  interactive  stegosystem  can  increase  the  rate  at 
which  information  is  transmitted  by  at  most  one  bit.  The  proof  is  straightforward 
we  show  that  any  stegosystem  S  for  a  bidirectional  channel  B  can  be  converted  into 
a  stegosystem  S'  with  the  same  rate  for  a  unidirectional  channel  C  on  pairs  from 
B.D  x  B.D.  S'  runs  in  the  same  time  as  S  and  draws  as  many  samples  from  C  as 
Alice  and  Bob  (combined)  draw  from  B  in  each  time  step.  Thus  the  upper  bound 
MAXES')  implies  that  at  most  one  bit  more  can  be  sent  due  to  sampling,  and  the 
MAXc(S')  bound  implies  that  minimum  entropy  constraints  still  apply. 

In  order  to  address  this  issue,  we  will  first  need  to  formalize  the  concept  of  a 
bidirectional  stegosystem. 

Definition  6.3.  (Bidirectional  Stegosystem)  A  Bidirectional  Stegosystem  S  for  the 
bidirectional  channel  B  =  (D,H.,CA,CB)  is  a  triple  of  algorithms: 

•  S. Encode  (abbreviated  SE)  takes  as  input  a  key  K  £  {0,  l}fc,  a  string  m  £ 
{0, 1}*  (the  hiddentext) ,  a  message  history  h  £  (D  x  D)*,  and  a  session  history 
T  £  (D  x  D)*. 
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SE(K ,  /,  m,  h,  T )  returns  a  document  from  D,  or  the  special  symbol  done 

•  S. Facilitate  (abbreviated  SF)  takes  as  input  a  key  K ,  a  message  history  h 
and  a  session  history  T. 

SF(K,  h,  T)  returns  a  document  from  D. 

•  S. Decode  (abbreviated  SD)  takes  as  input  a  key  K,  a  sequence  of  documents 
si |  |s2 1 1  ■  ■  ■  j| si,  and  a  message  history  h. 

SD(K,  s,  h )  returns  a  hiddentext  m  G  {0, 1}*. 

We  denote  the  transcript  of  (K,  m,  h )  by  the  result  of  setting  so(kL)  =  SE(K,  m,  Iia,  s), 
so(B)  =  SF(K,  hB,s),  and 

Si(A)  =  SE(K,  m,  hA ,  (s0, . . .  ,  Si(B)  =  SF(K,  hB,  (s0, . .  -  ,  s*_i)) 
until  Sj(^4)  =  done. 

We  say  that  S  is  correct  if  for  all  m  G  {0, 1  jp°lv(k)  Pr [SD(K,  (s0, ...  ,Si),h)  ^  m] 
is  negligible. 

In  addition,  we  formalize  the  notion  of  a  bidirectional  chosen  hiddentext  attack 
(BCHA)  by  an  oracle  adversary  W  given  access  to  an  oracle  O  drawn  from  one  of  two 
distributions: 

•  <STbcha(m,  h ):  has  uniformly  chosen  key  K  and  responds  to  queries  (m,  h ) 

by  computing  a  transcript  of  (. K,m,h ). 

•  CThcha(m,  h):  responds  to  queries  by  drawing  a  sequence  from  B  of  the  same 
length  as  a  ( K,m ,  h )  transcript. 

We  define  BCHA  advantage  (Adv^c^e(/c))  and  insecurity  (InSec^Cga(t,  q,  p,  k))  ac¬ 
cording  to  the  previous  conventions. 

Theorem  6.4.  Any  (. h ,  l,  t)  -sampling  bidirectional  stegosystem  S  for  the  bidirectional 
channel  B  can  be  converted  to  a  ( h ,  l ,  2t)  -sampling  stegosystem  S'  for  a  channel  C  such 
thaFRcfS')  —1 Zb(S),  and  InSecf,!C(f',  q,[i,  k)  =  InSec^a(C,  q,  p,  k). 
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Proof.  We  define  the  channel  C  as  a  distribution  on  sequences  of  pairs  from  B.DxB.D . 
The  marginal  distribution  Ch  is  defined  by  (B.C^.B.Cj f). 

The  stegosystem  S'  has  the  same  keyspace  as  S.  The  new  encoding  algorithm 
S'.SE(K,  m,  h )  works  by  computing  a  transcript  so, . . .  ,si  form  (K ,  m,  h )  as  follows: 
For  each  i,  S'.SE  simulates  S.SE  by  making  draws  from  C/liSOr..)Si_1  and  extracting 
the  first  element  of  the  pair;  likewise  S' .SE  simulates  S.SF  my  making  draws  from 
Ch,So,...,si-i  and  extracting  the  second  element  of  each  pair.  S'  .SE(K:m,  h )  then  out¬ 
puts  this  transcript  as  the  stegotext.  Notice  that  since  S.SE  and  S.SF  each  draw  at 
most  t  samples  from  B. C^,  and  B.Cf1 ,  respectively,  S'.SE  draws  at  most  2 1  samples 
from  Ch-  The  decoding  algorithm  S' .SD(K,  s,  h )  exactly  runs  the  decoding  algorithm 
S.SD(K,s,h). 

Notice  that  the  chosen-hiddentext  oracles  ST,  CT  for  S’  are  identically  distributed 
to  the  bidirectional  chosen-hiddentext  oracles  5Tbcha,  CThch&  for  S.  Thus  any  warden 
for  S’  is  a  warden  for  S  and  vice  versa,  with  the  advantage  preserved.  Thus  S'  is  as 
secure  for  C  as  S  is  for  B,  as  claimed.  It  is  also  clear  that  the  rate  of  S'  is  the  same 
as  that  of  S,  which  completes  the  proof.  □ 


6.3  Lower  bound 

We  will  prove  a  lower  bound  on  the  achievable  rate  which  matches  the  stated  upper 
bound,  up  to  a  multiplicative  factor  which  converges  to  1.  The  lower  bound  is  proven 
by  giving  a  stegosystem  which  achieves  this  rate.  We  will  first  give  one  that  achieves 
rate  (1  —  e)MAX  for  any  e  >  0,  but  which  has  polynomial  rather  than  negligible 
error  rate.  We  will  then  use  error-correcting  codes  to  improve  the  error  rate,  and 
finally  give  a  construction  which  does  not  require  Alice  or  Bob  to  know  the  minimum 
entropy  of  C. 

6.3.1  With  errors 

We  will  assume  for  the  moment  that  both  Alice  and  Bob  know  a  value  l  so  that  A  < 
(1 —e)MAX(Clh,t).  We  let  F  :  {0,  l}fcx{0, 1}*  — >  {0, 1}A  be  a  pseudorandom  function, 
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and  assume  Alice  and  Bob  share  a  key  K  G  {0,  l}fc.  The  following  construction  allows 
Alice  to  send  Bob  a  A-bit  message,  with  error  probability  at  most  \2~eX. 

Construction  6.5.  OneBlock  Stegosystem 


Procedure  OneBlock. Encode: 

Input:  K  G  {0,  l}fc,  m  G  {0, 1}A,  h  G  D*,  N,1 
Let  i  —  0,  c[D)  =  0 
repeat: 

Draw  Si  <—  Clh 
increment  i,  c[sj] 

until  Fk(N,  h,  c[sj],  Si)  =  m  or  count  =  A2a 

Output:  Si 

Theorem  6.6. 

Pt[SD(K,  SE(K,  m,  h,  N,  /),  h,  N )  ^  m]  <  e~x+\2x-H°°^+InSecp;f (0(\2X),  X2x,  k ) 
Proof.  We  will  show  that  when  Fk  is  replaced  by  a  random  function  /, 

Pr [f(SEf(m,  h,  N,  l ))  ^  m]  <  e~x  +  \2X~H°° ^  . 

We  can  then  construct  a  PRF  adversary  A  with  advantage  at  least 

Ad vp*F(k)  >  Pr [SD{K,  SE(K,  m))  ±  m]  -  e~x  +  \2X~H°°^  , 
which  will  give  the  desired  bound. 

Let  C  denote  the  event  that  OneBlock. Encode-^ (m)  outputs  an  s,  with  c[s*]  >  1. 
This  happens  when  there  is  at  least  one  j  <  i  such  that  Sj  =  s*.  Thus  by  the  union 
bound,  we  have 

Pr[C]  <  J2  Pr['A  =  s*]  • 

j<i 

Since  for  each  j,  Pr[sj  =  s*]  <  2~H°°(ch'>  and  since  i  <  A2a,  we  get  the  bound 

Pr[C]  <  \2x-h°°^  . 

Let  D  denote  the  event  that  OneBlock. Encode^ (m)  outputs  <sA2*-  This  happens 
when  each  of  the  previous  A2a  tests  f(N,  h,  c[sj],  Sj)  =  m  fails.  Since  each  test  involves 


Procedure  OneBlock. Decode: 

Input:  K  G  {0,  l}fc,  s  G  Dl,  h,  N 
Output:  Fk(N,Ji,1,s) 
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a  distinct  point  of  /,  each  of  these  happens  independently  with  probability  1  —  1/ 2A. 
Since  the  events  are  independent,  we  can  bound  Pr[D]  by 

/  1  \  A2A 

Pr[D]  =  [1  ~  <  e~x  . 

Since  the  only  other  condition  under  which  OneBlock. Encode-^ (m)  outputs  ,st  is  if 
f(N,  h,  1,  =  m,  we  have  that 

Pr [SDf(SEf(m))  ±  m]  =  Pr[C  A  D]  <  e“A  +  \2X~H^  . 

We  now  describe  a  PRF  adversary  A  for  F.  A?  picks  m  G  {0, 1}A  and  runs 
OneBlock. Encode-^  (m,  £,  0,  l )  to  get  a  sequence  s  G  Dl.  A?  then  outputs  1  if  f(s)  ^  m. 
Clearly,  when  A’s  oracle  /  FKl  we  have 

Vr[AFK{lk)  =  1]  =  Pr [SD(K,  SE{K ,  m,  h,  N,  /),  h,  N)  ±  m]  , 

and  when  /  is  a  randomly  chosen  function  from  {0,1}*  — »  (0, 1}Z,  we  have  shown 
that 

Pr [Af  (lfc)  =  1]  <  e“A  +  \2x~H°°(ch) 

It  follows  that 

Adv^Jfe)  =  Pr[AFK(lk)  =  1]  -  Pr[A/(lfc)  =  1] 

>  Pr [SD(K,  SE(K,  m,  h),  h)  ±  m]  -  (e~x  +  \2X~H°°^ 

And  rearranging  terms  gives  us  the  stated  theorem: 

Pt[SD(K,  SE(K,  m,  h),  h)  ±  m]  <  Adv^F{k)  +  e“A  +  \2X~H^ 

<  InSec£f(0(A2A),  A2a,  k)  +  e“A  +  \2X~H^ 


□ 


Theorem  6.7. 

InSec^eBlock)C(C  q,  qX,  k)  <  InSec£f(i',  q\2x,  k)  , 
Where  t'  <  t  +  0(q\2x). 
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Proof.  Fix  any  nonce-respecting  W  G  W(t,q,  qX).  We  will  show  how  to  construct  a 
PRF  adversary  A  for  F  such  that 

AdvA,F(k)  =  AdvW,OneBlock,c(fc)  ■ 

A*  works  by  emulating  W,  responding  to  its  queries  by  running  DneBlock.Encode^; 
when  W  halts  with  output  b,  A  outputs  b  as  well.  Clearly,  when  /  FK,  we  have 
that 

Pv[AFK(lk)  =  1]  =  Pr[WST(lk)  =  1]  . 

When  /  is  a  randomly  chosen  function,  and  since  W  is  nonce-respecting,  A  never 
evaluates  /  on  any  point  twice.  Thus  A?  is  equivalent  to  a  process  which  draws  a 
new,  independent  function  at  each  stage.  In  this  model,  for  any  d  G  Dl,  we  have 
that  Pr [SE(m,h)  —  d]  —  Pr^s<_Ci  [s  =  d\f(s)  =  m],  and  since  s  and  /  are  drawn 
independently,  we  have  that  Pr [SE(m,  h )  —  d\  —  Prc/  [d].  Thus  Ws  responses  to  IP’s 
queries  are  distributed  according  to  C,  so 

Pr[Af(lk)  =  1]  =  Pr[WCT(lk)  =  1]  . 

Combining  the  cases  yields: 

Ad vpffF(k)  =  \Pr[AFK(lk)  =  1]  -  Pr[Af(lk)  =  1]  | 

=  |Pr[WST(lfc)  =  1]  -  Pr[WCT(lk)  =  1]  | 

=  Advm,OneBlock,c(^) 

which  proves  the  theorem.  □ 

Theorem  6.8.  The  rate  o/OneBlock  is  (1  —  e)MAXc(h,l,  A2a). 

Proof.  Suppose  that  MAXc(h,l,t )  =  In  this  case,  by  choice  of  /  and  A, 

OneBlock  sends  A  =  (1  —  e)P[00{Clh)  =  (1  —  e)MAX  bits  in  l  documents.  On  the  other 
hand,  if  MAXc(h,  /,  A2a)  =  log(A2A)  =  A  +  log  A,  then  since  OneBlock  sends  A  bits 
in  l  documents,  we  have  that 

7^-c  (OneBlock)  A  ^ 

MAX  =  A  +  log  A  “  (  “  e’  ’ 

where  the  last  inequality  holds  for  sufficiently  large  A.  □ 
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6.3.2  Negligible  error  rate 

Let  K  =  GF( 2a).  This  next  construction  utilizes  the  following  well-known  fact: 

Proposition  6.9.  ([11])  There  is  a  polynomial-time  algorithm  Correct  to  solve  the 
following  problem:  given  n  =  2A  pairs  (xi,yi), . . .  ,  (xn,yn)  G  K2,  if  there  is  a  poly¬ 
nomial  p{x)  of  degree  \K\  —  2 1  such  that  at  most  t  pairs  do  not  satisfy  y*  =  p(xi), 
recover  p. 

We  will  use  the  Berlekamp- Welch [60]  algorithm,  Correct,  to  reduce  the  probabil¬ 
ity  of  encoding  error  in  the  OneBlock  construction.  In  the  following  construction,  we 
let  n  =  2A,  p  =  A2_eA+2,  and  p  =  (1  —  2 p)n.  The  following  construction  securely  hides 
messages  in  {0,  l}Ax??: 

Construction  6.10.  MultiBlock  Stegosystem 


Procedure  MultiBlock. Encode: 

Input:  K,  m0, . . .  ,  mv_ i,  h,  N 
for  i  =  1  to  n  do: 
set  Xi  —  (i) 

set  yi  =  Ei=(!  mix3i 

set  Si  =  OneBlock. SE(K,  yt,  h,  N,  l ) 

Output:  si, . . .  ,  sn 

Theorem  6.11. 


Procedure  MultiBlock. Decode: 

Input:  K,  Si, . . .  ,  sn  E  Dl,  h,  N 
for  i  —  1  to  n  do: 
set  Xi  =  (i) 

set  y%  =  OneBlock. S D(K,  Sj,  /i,  N ) 
set  m0, . . .  ,  rnv  =  Correct(a;i,  y,) 

Output:  m 


!nSec“  itiBiock ,c(^  9. <  InSec^rf(t  +  Q(qr) A2a),  gr/A2A,  /c) 


Proof.  We  will  show  how  to  use  an  arbitrary  W  G  W(t,q,qi] A)  against  MultiBlock 
to  create  an  adversary  X  G  W(i,  qp,  qp A)  for  OneBlock  such  that 

Adv^y^uitiBiock,c  (k)  =  Adv-  ,  OneBlock,  C  (k)  • 

The  stated  bound  follows  from  the  definition  of  insecurity  and  theorem  6.7. 

X°  works  by  running  W,  and  responding  to  IT’s  queries  using  its  own  oracle 
O.  When  W  queries  (m0  •  •  •  mri,  h,  N),  X  produces  the  values  y  i,...  ,  yn ,  where 
yt  =  o  m>W,  an(l  then  queries  the  sequences  st  =  0{yil  . .  ,  Sj_i),  N ),  to 
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produce  the  result  si, . . .  ,sn,  which  is  returned  to  W.  Now  when  O  SXbneBiock,  it 
is  clear  that  X  is  perfectly  simulating  MultiBlock  to  W,  so 

Pr[  A5TDneBl0Ck(lfc)  =  1]  =  Pr  [W5TMultiBlock  (lfe)  =  1] 

When  O  <—  CToneBiock,  it  is  also  clear  that  X  is  perfectly  simulating  samples  from 
the  channel  to  W,  so 

Pj,  J  ^ CToneBiock  __  j^j  __  Pf  [fT^“ultiE1°ck  ( 1^  __  j^j 


Combining  these  cases,  we  have  that 

Adv\ 

\  ,U11CDXULA,^/  \  /  I  L 

_  I  Pj*  ^|pr^-^MultiBlock  ^  _  p  ^p^^^MultiBlock  ^  I 


•x,o».Bi.ck ,cW  =  |Pr[XST“-‘-(l‘)  =  1]  -  Pr[A'CT“(l‘)  =  1] 


AdvH/HuitiBi0cltc(^) 


Which  completes  the  proof. 


□ 


Theorem  6.12.  If  F  is  pseudorandom,  then 

Pr[MultiBlock.S'H(lP,  MultiBlock. SE(K,  m,  h),  h)  ^  m]  <  e~np ^  , 
which  is  negligible  in  n  —  2A. 


Proof.  As  long  as  there  are  at  most  pn  errors,  Proposition  6.9  ensures  us  that  Correct 
can  recover  the  message  mo, . . .  ,  mr;_ i .  Thus  the  probability  of  a  decoding  error  is  at 
most  the  probability  of  pn  blocks  having  decoding  error  in  OneBlock. Decode.  But 
Theorem  6.6  states  that  the  probability  of  decoding  error  in  OneBlock. Decode  is 
at  most  p  when  F  is  pseudorandom;  applying  a  Chernoff  bound  yields  the  stated 
result.  □ 

Theorem  6.13.  The  rate  of  MultiBlock  is  (1  —  e  —  o(l))MAXc(h,  l,  A2a). 

Proof.  The  rate  of  MultiBlock  is  the  rate  of  OneBlock  multiplied  by  the  rate  of  the 
error-correcting  code  used  in  encoding.  Since  this  rate  is  (1  —  2 p)  =  1  —  A2~eA+3, 
we  have  that  the  rate  converges  to  1  as  A  — >  oo,  that  is,  the  rate  of  the  code  is 
(l-o(l)).  □ 
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6.3.3  Converging  to  optimal 


We  notice  that  if  e(k)  =  1/A  the  MultiBlock  construction  has  error  rate  at  most 
e-\-2x/3 ^  an(]  }ias  rate  (i  _  o(l))MAXc(h,t,l).  Thus  under  appropriate  parameter 
settings,  the  rate  of  the  construction  converges  to  the  optimal  rate  in  the  limit. 


6.3.4  Unknown  length 


Suppose  Alice  and  Bob  agree  at  the  time  of  key  exchange  to  use  the  MultiBlock 
stegosystem  with  hiddentext  block  size  A.  Since  neither  Alice  nor  Bob  necessarily 
know  the  values  (a,/?)  such  that  C  is  (a,  /3)-informative,  there  is  no  way  to  calculate 
or  exchange  beforehand  the  stegotext  block  size  l  so  that  A  <  (1  —  e)tt00(C/). 


Construction  6.14.  FindBlock 

Procedure  Encode: 

Input:  K,  m  G  {0,  l}An,  h ,  N 

let  l  =  1 

repeat: 

let  t  =  F'K(m ) 

let  s  =  LEnc(/l,  m\\t,  /,  h,  N ) 
increment  l 
until  s  t^_L. 

Output:  s 

Procedure  LEnc: 

Input:  K,  m,h,  l,N 
for  i  —  1  to  n  do: 
set  Xi  =  (i) 
set  yi  =  mjxl 
set  Si  =  OneBlock. SE(K,  yi,  h,  N,  l ) 
if  (LDec(A/  s,  /,  h,  N )  ^  m)  set  s  =_L 
Output:  s 


Procedure  Decode: 

Input:  K ,  Si, . . .  ,  st  E  Dl ,  h,  N 

let  l  =  1 

repeat: 

let  m\\Xnt  =  LDec(K,si...(n+k)i,h,N) 
increment  l 
until  F'K{m )  =  t 

Output:  m 


Procedure  LDec: 

Input:  K,  si,...  ,  sn+k  G  Dl,l,h ,  N 
for  i  —  1  to  n  do: 
set  Xi  =  (i) 

set  yt  =  OneBlock. SD (K,  Sj,  h,  N ) 
set  m0, . . .  ,  mv  =  Correct(a;i,  yt) 

Output:  m 


The  idea  behind  this  construction  is  simple:  Alice  tries  using  MultiBlock  with 
block  lengths  l  =  1,2,...  until  she  finds  one  such  that  the  decoding  of  the  encoding  of 
her  message  is  correct.  With  high  probability,  if  Fl^C1^)  <  An  decoding  will  fail  (the 
block  error  rate  will  be  at  least  1  —  ^),  and  as  we  have  seen,  when  i?’00(C^n)  >  (A+  j)n 
decoding  fails  with  only  negligible  probability.  Since  C  is  ( a ,  /3)-informative,  Alice  will 


123 


need  to  try  at  most  values  of  L.  Alice  also  encodes  kl  bits  of  “check”  information 
with  her  message,  so  that  when  Bob  decodes  with  the  wrong  block  size,  he  will  be 
fooled  with  probability  only  2~lk.  The  rate  penalty  for  this  check  data  is  =  o(l) 
when  n  =  u(k).  Thus  for  sufficiently  large  A  the  rate  of  this  construction  will  still 
converge  to  the  optimal  rate  for  C}x. 


6.4  Robust  Steganography 

Recall  that  a  stegosystem  is  said  to  be  substitution  robust  with  respect  to  the  relation 
R  if  an  adversary,  by  making  substitutions  permitted  by  R  is  unable  to  change  the 
decoding  of  a  stegotext,  except  with  negligible  probability.  Since  an  adversary  is 
allowed  to  make  changes  to  stegotexts,  increasing  the  rate  of  a  robust  stegosystem  is 
a  more  challenging  task.  Here  we  will  show  that  if  a  stegosystem  is  robust  against 
any  5-admissible  relation  R  (given  access  to  R),  then  it  can  encode  at  most  log  1/5 
bits  per  document.  We  will  also  demonstrate  an  efficient,  robust  stegosystem  which 
encodes  (1  —  e  —  o(l))  log  1/5  bits  per  document,  for  any  constant  e  >  0,  showing  that 
this  upper  bound  is  tight, 

6.4.1  Upper  Bound 

Recall  the  definition  of  T(R,D)  =  max9  yU  Prp[a;].  We  will  show  that  any 
universal  stegosystem  for  5-admissible  relations  R  (given  access  to  R)  which  attempts 
to  transmit  more  than  —  t  log  5  bits  in  t  documents  is  either  not  universally  secret  or 
not  universally  robust. 

Theorem  6.15.  Let  S  be  a  universal  stegosystem.  For  every  0  <  5  <  1,  there  exist 
a  channel  C  and  relation  R  such  that 

FailJc(t,0,0,(l  +  e)£,A:)>l-2-c^, 

where  lZc(<S )  =  (1  +  e)  log(l/5),  and  c  is  a  constant  depending  on  5. 

Proof.  We  let  C  be  the  uniform  distribution  on  n  bit  strings,  and  R(x,  y)  =  1  iff  the 
hamming  distance  of  x  and  y  is  at  most  d,  where  d  and  n  are  constants  chosen  to 
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make  X(R,C)  <  5.  We  will  give  an  attacker  W  which  achieves  the  stated  success 
probability.  For  notational  convenience,  we  define  /  =  —i\og5. 

W  picks  the  challenge  hiddentext  rn*  [//,  and  gets  in  response  the  challenge 
stegotext  s*  G  S.SE(K,m*).  W  then  uniformly  picks  a  sequence  s'  subject  to  |s'  — 
s*\  <  d  for  1  <  i  <  i.  W s  output  is  the  sequence  s'. 

We  now  compute  the  success  probability  of  W.  Recall  that 
Succ^iiSC(/c)  =  Pr[SD(K,s')  ^  m*]  , 

where  this  probability  is  taken  over  K ,  m* ,  s*,  and  s'.  Notice  that  the  adversary  W  is 
identical  to  a  noisy  discrete  memoryless  channel,  with  p(s'|s*)  defined  as  the  uniform 
distribution  on  {s  G  {0,  l}n  :  |s  —  s*j  <  d}.  This  channel  has  Shannon  capacity 
exactly  —  logJ (R,C)  =  —  log  S.  Furthermore,  any  robust  stegosystem  is  a  candidate 
code  for  the  channel.  The  strong  converse  to  Shannon’s  coding  theorem  [62]  tells  us 
that  any  code  with  rate  (1  +  e)  log  1/5  will  have  average  error  probability  at  least 
1  —  2~cey^,  where  c  =  2~4n+2  log(l/5)  (which  is  a  constant  depending  on  5). 

Since  the  event  that  the  adversary  W  is  successful  is  identical  to  the  event  that  a 
decoding  error  occurs  in  the  code  induced  by  SE(K,  •),  SD(K ,  •),  we  have  that 

Succ w,s,c(k)  —  1  —  ^  C£ ^  , 

which  satisfies  the  theorem.  □ 

6.4.2  Lower  Bound 

In  this  section  we  will  give  a  secure,  universally  ^-substitution  robust  stegosystem 
which  achieves  rate  (1  —  e  —  o(l))  log(l/5)  for  any  e  >  0.  We  will  first  give  an 
exponentially  time-inefficient  construction  with  rate  exactly  (1  —  e)  log(l/<5)  and  then 
show  how  to  improve  the  computational  efficiency  at  the  expense  of  a  o(l)  factor  in 
the  rate.  These  constructions  use  substantially  the  same  ideas  as  were  developed  in 
chapter  5,  so  the  analysis  will  also  be  similar. 
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An  inefficient  construction 

We  give  a  stegosystem  with  stegotext  block  size  i  and  hiddentext  block  size  l  = 
(1— e)£log  A.  Suppose  that  the  channel  distribution  C  is  efficiently  samplcablc.  (Recall 
that  C  is  efficiently  samplcablc  if  there  is  an  efficient  algorithm  C  such  that,  given  a 
uniformly  chosen  string  s  G  {0,  l}fc,  a  security  parameter  lk  and  history  h,  C (h,  lk,  s ) 
is  indistinguishable  from  Ch)-  We  will  assume  that  Alice,  Bob,  and  Ward  all  have 
access  to  this  algorithm.  Furthermore,  we  assume  Alice  and  Bob  share  a  key  K  to  a 
pseudorandom  function  family  F  :  {0,  l}fcx{0, 1}*  — >  {0,  l}fc;  and  have  asynchronized 
counter  N. 

Construction  6.16.  RLBit 

Procedure  Encode:  Procedure  Decode: 

Input:  K,  m  G  {0, 1}*,  h  Input:  K ,  si, . . .  ,  G  De ,  h 

for  i  —  1 ...  n  do  set  m*  =  0  Set  h0  =  hL  =  () 

set  Gi  =  C (h,  lk,  Fk(N,  m))  for  m  G  {0,  l}1  do 
increment  N  for  %  —  1 ...  n  do 

set  h  =  (. h ,  Sj)  set  <Ji[m\  =  C((h,  hm ),  lk,  FK(N ,  m)) 

Output:  <7i, . . .  ,  an  set  hm  =  (hm,  <Ji[m]) 

if  (VI  <  i  <  L(<7i[m],Si )  G  R ')  then  m*  =  m 
set  h  =  (h,  hm *) 

Output:  m* 

The  idea  behind  this  construction  is  this:  suppose  that  instead  of  sharing  a  key  to 
a  pseudorandom  function  F,  Alice  and  Bob  shared  (1/S)1  secret  documents  dm  drawn 
independently  from  Ch-  Then  Alice  could  send  Bob  the  message  bit  m  by  sending 
document  dm,  and  Bob  could  recover  m  by  checking,  for  each  m  in  turn,  to  see  if  the 
document  he  received  was  related  (by  Rr )  to  dm .  Since  the  adversary  is  R  bounded 
and  (V,  R')  is  8- admissible,  the  probability  of  a  decoding  error  —  caused  either  by 
the  adversary,  or  by  accidental  draw  of  the  drn  —  would  be  at  most  2l5i  =  8ei. 

Lemma  6.17.  RLBit  is  steganographically  secret  against  a  nonce-respecting  chosen 
hiddentext  attack: 

InSec RLBitjC(t,  q,  ql ,  k)  <  InSec^rf(t  +  £q,  £q). 

Proof.  Let  W  be  a  passive  warden  which  runs  in  time  t,  and  makes  at  most  q  queries 
of  total  length  at  most  ql  (each  query  can  be  only  l  bits,  because  of  the  input  type). 
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We  construct  a  PRF  adversary  A  which  runs  in  time  t  +  0(q£)  and  makes  at  most  q£ 
queries  to  F,  such  that 

Ad VA,p(k)  =  AdvU-,RLBit,c(fc)  • 

The  PRF  adversary  takes  a  function  oracle  /,  and  emulates  lfc),  responding  to  the 
queries  W  makes  to  the  encoder  SE  by  using  /  in  place  of  FK ( • ,  •).  More  formally, 
we  define  the  subroutine  SSE-f  :  {0, 1}*  x  {0, 1}*  — >  {0, 1}*  as  follows: 

Procedure  SSE? : 

Input:  m  G  {0, 1}Z,  history  h 
for  i  —  1 ...  I  do 

set  cq  =  C(lfc,  h,  f(N,  m)) 
increment  N 
set  h  =  (. h ,  g^ 

Output:  g i, . . .  ,G£ 

Then  we  define  A^( lfc)  =  WSSEf  (lfc);  A’s  advantage  over  F  is  then: 

Advp*A(k)  =  \Pr[AFK(lk)  =  1]  -  Pr[Af(lk)  =  1] | 

=  \Pr[WST(lk)  =  1]  -  Pv[Af(lk)  =  1]| 

=  |Pr[W5T(lfc)  =  1]  -  Pr[WCT(lk)  =  1]  | 

=  Ad v^sLBit)C  H/(/c)  . 

Where  the  following  cases  for  /  justify  the  substitutions: 

•  /  is  chosen  from  FK(-,-).  Then  the  output  of  SSE f  is  distributed  identically 
to  the  encoding  function  of  RLBit.  That  is, 

Pr[AFK(lk)  =  1]  =  Pr[WST(lk)  =  1]  . 

•  /  is  chosen  uniformly.  Then  by  assumption  on  C,  the  output  of  SSE *  is  dis¬ 
tributed  identically  to  samples  from  CPh.  that  is, 

Pr [Af  (lfc)  =  1]  =  Pv[WCT(lk)  =  1]  . 

The  claim  follows  by  the  definition  of  insecurity.  □ 
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Lemma  6.18.  FailBLBlt(f,  q,  ql,  l,  k)  <  InSec^rf(t  +  0(q£)  +  2l£,  ql  +  2l£,  k )  +  5el. 


Proof.  Let  W  be  an  active  R-bounded  (t,  q,  ql,  l )  warden.  We  construct  a  PRF  ad¬ 
versary  A  which  runs  in  time  t  +  0(q£),  makes  at  most  ql  PRF  queries,  and  satisfies 
AdO)  >  Succ (|/RLBitC(fc)  —  Sei.  Af  works  by  emulating  W,  using  its  function 
oracle  /  in  place  of  Fk(;-)  to  emulate  RLBit.  Encode  in  responding  to  the  queries 
of  W.  Let  mw,  sw  be  the  hiddentext  and  the  stegotext  sequence  returned  by  W, 
respectively.  Then  A^  returns  1  iff  SD^  (sw,hw )  7^  mw-  Consider  the  following  two 
cases  for  /: 

•  /  is  chosen  uniformly  from  all  appropriate  functions.  Then,  for  each  i,  the  stego- 
texts  cjj  =  C(lfc,  hi,  f(N+i,  mw))  are  distributed  independently  according  to  C^. 
Consider  the  sequence  of  “alternative  stegotexts”  di[m']  =  C(lfc,  h\,  f(N+i,  m')) 
for  each  m!  ^  mw  G  {0,  1}F  each  of  these  is  also  distributed  independently  ac¬ 
cording  to  Chiim'Yi  and  since  W  is  never  given  access  to  the  dt  [rn'] ,  the  st  are 
independent  of  the  di[m'].  Now  SD  will  fail  (causing  A? (lfc)  to  output  1)  only  if 
the  event  3m'  A/i.{di\m!\,  sf)  G  R'  occurs.  Because  the  dt [rn’]  are  independent  of 
the  actions  of  W,  and  because  (C,  R')  is  ^admissible,  each  event  (di[m'\,  sf)  G  R! 
happens  independently  with  probability  at  most  5.  So  for  each  rn' ,  the  proba¬ 
bility  of  failure  is  at  most  <r,  and  thus  by  a  union  bound,  we  have  that 

Pr[Af(lk)  =  1]  <  S*  =  set  • 

m'  £{0,1}1 

•  /  is  chosen  uniformly  from  Fk-  Then  21^(1^)  outputs  1  exactly  when  W  succeeds 
against  RLBit,  by  the  definition  of  RLBit. 

Pr[AF*(lfc)  =  1]  =  Succ *LBit,w(k)  ■ 


Taking  the  difference  of  these  probabilities,  we  get: 

Ad vp*A(k)  =  Pr[AFK(lk)  =  1]  -  Pr[Af(lk)  =  1] 

=  Succ *LBit,w(k)  ~  p4Af(lk)  =  !] 

>  Succ *LBit,W(l)  -  ^  ■ 

□ 


128 


Improving  the  run-time 


Notice  that  because  the  running  time  of  the  decoding  procedure  for  RLBit  is  expo¬ 
nential  in  £,  the  proof  of  robustness  is  not  very  strong:  the  information-theoretic 
bound  on  the  success  of  W  is  essentially  polynomial  in  the  running  time  of  the  PRF 
adversary  we  construct  from  W.  Still,  if  we  set  £  =  poly  (log  k),  and  assume  subexpo¬ 
nential  hardness  for  F,  we  obtain  a  negligible  bound  on  the  success  probability,  but 
a  quasi-polynomial  time  decoding  routine.  We  will  now  give  a  construction  with  a 
polynomial-time  decoding  algorithm,  at  the  expense  of  a  o(l)  factor  in  the  rate. 

As  before  we  will  assume  that  C  is  efficiently  sampleable,  that  F  :  {0,  l}fc  x 
{0, 1}*  — >  {0,  l}fc  is  pseudorandom  and  both  parties  share  a  secret  K  E  {0,  l}fc,  and 
a  synchronized  counter  N.  As  before,  we  will  let  l  =  (1  —  e)£\og(l /5),  but  we  now  set 
£  so  that  l  =  log  k.  We  set  an  additional  parameter  L  =  kj  log(l/<5). 

Construction  6.19.  RMBit 


Procedure  Encode: 

Input:  K,  mi, ...  ,  mn  E  {0, 1}*,  h,  N 
for  i  —  1 . . .  n  +  d  do 

set  =  LEn c(K,  h,  N,  £) 
set  h  =  (. h ,  (jj) 
set  r  =  LEnc(/l ,  m,  h,  N,  L ) 

Output:  Gi,  .  .  .  ,  Gn,  T 


Procedure  Decode: 

Input:  K ,  si, . . .  ,  sn  G  De,t  E  DL,  h,  N 
let  m*  =  0 

let  L  =  LD ec(K,  s i . . .  sn,  £,  h,  N) 
for  each  m  E  L  do 

Set  Gi, . . .  ,  Gn,  t  =  Encode(/b,  m,  h,  N) 

if  (Al <i<L(Ti^i)  e  R’)  then 

set  m*  =  m 

Output:  m* 


Procedure  LEnc: 

Input:  K,  m,h,  N,len 
for  i  =  1 . . .  len  do 

set  Gi  =  C (h,  lfc,  Fk(N,  i,  m)) 
set  h  =  (. h ,  Gi) 

Output:  cri, . . .  ,Gien 


Procedure  LDec: 

Input:  K,  s\, . . .  ,  sa,  m*,h,  N 
let  L  =  {} 
for  m  E  {0, 1}*  do 
Let  rn'  =  m*||m 
Set  G[m]  =  LEnc  (A',  m' ,  h,  N,  £) 

if  (A l<i«((7iHis»)  e  R')  tlien 

let  h[m\  =  ( h,G[m ]) 

let  T  =  LDec  (AT,  s2...a,  m',  h[m\,  N) 

set  L  =  L  U  {m\\t  :  t  E  T} 

Output:  L 


The  idea  behind  this  procedure  is  to  break  a  message  up  into  /-bit  blocks,  and 
encode  each  one  using  the  RLBit. Encode  procedure;  and  then  append  the  encoding 
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of  L  documents  of  message-dependent  redundancy.  To  decode,  we  iteratively  attempt 
to  match  each  stegotext  block  against  each  of  the  2 1  =  k  possible  hiddentext  blocks; 
there  will  always  be  one  matching  block,  and  with  some  small  probability  k~e  there 
will  be  an  additional  match.  We  perform  a  depth-first  search  on  these  matches  to 
find  a  list  of  candidate  messages,  and  then  test  each  message  to  see  whether  the 
redundant  encoding  matches.  Any  candidate  match  from  the  depth-first  search  will 
also  have  matching  redundancy  with  probability  2~k,  and  a  union  bound  will  thus 
bound  the  probability  of  a  decoding  failure  by  (1  +  \)2~k .  Furthermore,  the  total 
expected  number  of  nodes  explored  by  Decode  is  at  most  (1  +  -)n;  thus  our  reduction 
will  be  efficient. 

Theorem  6.20.  RMBit  is  steganographically  secret  against  a  nonce-respecting  chosen 
hiddentext  attack: 

InSec^Bit  C(t,  q,  Ip,  k )  <  InSec£f(t  +  ()(p£),p£). 

Proof.  Let  W  be  a  passive  warden  which  runs  in  time  t,  and  makes  at  most  q  queries 
of  total  length  at  most  Ip  (each  query  must  be  a  multiple  of  l  bits,  because  of  the 
input  type).  We  construct  a  PRF  adversary  A  which  runs  in  time  t  +  0{p£)  and 
makes  at  most  p£  queries  to  F,  such  that 

Advp*F(k)  =  Ad vw#xB±tfi(k)  ■ 

The  PRF  adversary  takes  a  function  oracle  /,  and  emulates  W{lk),  responding  to 
the  queries  W  makes  to  its  oracle  O  by  running  RMBit .  Encode,  using  /  in  place  of 
Fk ( • ,  •)•  Consider  the  following  cases  for  /: 

•  /  is  chosen  from  Fk{- •,'•)■  Then  the  responses  to  W s  queries  are  distributed 
identically  to  the  encoding  function  of  RMBit.  That  is, 

Pv[AFK(lk)  =  1]  =  Pr[WST(lk)  =  1]  . 

•  /  is  chosen  uniformly.  Then  by  assumption  on  C,  the  response  to  each  query  by 
W  is  distributed  identically  to  samples  from  C(h.  that  is, 

Pr[Af(lk)  =  1]  =  Pr[WCT(lk)  =  1]  . 
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A’s  advantage  over  F  is  then: 

Ad vp*A(k)  =  |Pr[AF*(lfc)  =  1]  -  Pr[Af(lk)  =  1]  | 

=  |Pr[W5T(lfc)  =  1]  -  Pr[Af(lk)  =  1]| 

=  |Pr[W5T(lfc)  =  1]  -  Pr[WCT(lfc)  =  1]  | 

=  Adv^RMBit  C(/c)  . 

The  claim  follows  by  the  definition  of  insecurity.  □ 

Theorem  6.21.  RMBit  is  robust: 

FailRMBit(t,  q,  l/i,  In,  k)  <  InSec Pp(t',  2n(l  +  1/e)  +  l(n  +  n),  k)  +  (1  +  l/e)2~A'  +  (e/4)n  , 
where  t'  <t  +  0((l  +  jj)n)  +  0((  1  +  l/e)kn). 

Proof.  Let  W  be  an  active  R-bounded  (t,  q,  In,  In)  warden.  We  construct  a  PRF 
adversary  A  which  runs  in  time  t' ,  makes  at  most  2n(l  +  1/e)  +  l{fi  +  n)  PRF  queries, 
and  satishes  Adv^rfF(A;)  >  Succ^RHBit  c(k)  —  (1  +  l/e)2  k  —  (e/4)n.  A*  works  by 
emulating  W,  using  its  function  oracle  /  in  place  of  Fk(-,  •)  to  emulate  RMBit .  Encode 
in  responding  to  the  queries  of  W.  Let  m*,s*  be  the  hiddentext  and  the  stegotext 
sequence  returned  by  W,  respectively.  Then  A^  returns  1  iff  SDf(s*,h*)  ^  m*.  To 
ensure  that  the  number  of  queries  and  running  time  are  at  most  t' ,  and  2n(l  +  1/e)  + 
l(/j,  +  n ),  we  halt  whenever  SD*  queries  makes  more  than  2n ( 1  +  1/e)  to  /,  an  event 
we  will  denote  by  TB.  We  will  show  that  Pr[TB]  <  (e/4)n  when  /  is  a  randomly 
chosen  function.  Thus  we  can  neglect  this  case  in  our  analyses  of  the  cases  for  /. 

Consider  the  following  two  cases  for  /: 

•  /  is  chosen  uniformly  from  all  appropriate  functions.  Then,  a  decoding  error 
happens  when  there  exists  another  m  G  {0,  l}ln  such  that  for  all  (i,j),  1  <  i  <  £, 
1  <  j  <  n,  we  have  (s(j_i)n+i,  LEncf  (mj..^)  G  R ;  and  also  (s£n+i,  LEnc^(m)j)  G 
R  for  all  i,  1  <  %  <  L.  Let  j  be  the  least  j  such  that  m,j  ^  rn* .  Then  for  blocks 
mj+ 1,...  ,mn,  the  ^-document  blocks  LEnc^ (mi...j+j)  are  independent  of  a *+i. 
Thus  for  such  m,  the  probability  of  a  match  is  at  most  §^n~A+L  =  2 ~k^n~Ae . 
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Since  there  are  2^n  A  messages  matching  m*  in  the  first  j  blocks,  we  have  that 

Pr[^ (lfc)  =  1]  =  Pr [SDf  (s*)  ±  m*] 

<  Pr [3m  ^  m*.  f\  s*)  G  R] 


< 


l<i<£n-\-L 


2l^n~^2~kS^n~^ 


3=0 


<  2~k 

3=0 

1 


=  2 


—k 


1  -Sd 


<  2~k(l  +  1/e) 

/  is  chosen  uniformly  from  Fk-  Then  AF(lk)  outputs  1  exactly  when  W  succeeds 
against  RMBit,  by  the  definition  of  RMBit. 


Pr[AF*(lfc)  =  1]  =  Succ^RMBitiC(fc)  . 


R 


Taking  the  difference  of  these  probabilities,  we  get: 

Ad vp*A(k)  =  Pr[AFK(lk)  =  1]  -  Pr[A/(lfc)  =  1] 

=  Succ RMBit,w(*0  -  Pr[A/(lfc)  =  1] 

>  SuccLit,m(0  -  (1  +  lA)2~fc  -  Pr[TB]  . 

It  remains  to  show  that  Pr[TB]  <  (e/4)n.  Notice  that  the  expected  number  of 
queries  to  /  by  A  is  just  the  number  of  messages  that  match  a  jT-document  prefix  of 
s*,  for  1  <  j  <  n,  times  k.  Let  Xrn  —  1  if  m  G  {0, 1}E  matches  a  j-block  prehx  of  s*. 
LetV  =  E”.,Em€,„,i>«  Xm  denote  the  number  of  matching  prehx  messages.  Then 
n  <  E[X]  <  n(  1  +  1/e),  and  a  Chernoff  bound  gives  us 

Pr[A  >  2n(l  +  1/e)]  <  Pr[A  >  2 E[X]} 

<  (e/4)EW 

<  (e/4 )n 

which  completes  the  proof.  □ 
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Theorem  6.22.  7£c(RMBit)  =  (1  —  e)  log(l/<5)  —  o(l) 


Proof.  For  a  message  of  length  In  =  (1  —  e)  log(l /8)£n,  RMBit  transmits  in  +  L  = 
in  +  k/  log(l/5)  documents.  Thus  the  rate  is 


(1  —  e)  log(l/< 5) in 
in  +  k/  log(l/<5) 


(1  -  e)  log(l/5) 


>  (1  -  e)log(l/<J) 


Q(k) 

in  +  0(k) 

k 

n 


For  any  choice  of  n  =  ou(k),  the  second  term  is  o(l),  as  claimed. 


□ 
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Chapter  7 


Covert  Computation 


7.1  Introduction 

Secure  two-party  computation  allows  Alice  and  Bob  to  evaluate  a  function  of  their 
secret  inputs  so  that  neither  learns  anything  other  than  the  output  of  the  function. 
A  real-world  example  that  is  often  used  to  illustrate  the  applications  of  this  primitive 
is  when  Alice  and  Bob  wish  to  determine  if  they  are  romantically  interested  in  each 
other.  Secure  two-party  computation  allows  them  to  do  so  without  revealing  their 
true  feelings  unless  they  are  both  attracted.  By  securely  evaluating  the  AND  of  the 
bits  representing  whether  each  is  attracted  to  the  other,  both  parties  can  learn  if 
there  is  a  match  without  risking  embarrassment:  if  Bob  is  not  interested  in  Alice,  for 
instance,  the  protocol  does  not  reveal  whether  Alice  is  interested  in  him.  So  goes  the 
example. 

However,  though  often  used  to  illustrate  the  concept,  this  example  is  not  entirely 
logical.  The  very  use  of  two-party  computation  already  reveals  possible  interest  from 
one  party:  “would  you  like  to  determine  if  we  are  both  attracted  to  each  other?” 

A  similar  limitation  occurs  in  a  variety  of  other  applications  where  the  very  use 
of  the  primitive  raises  enough  suspicion  to  defeat  its  purpose.  To  overcome  this  lim¬ 
itation  we  introduce  covert  two-party  computation ,  which  guarantees  the  following 
(in  addition  to  leaking  no  additional  knowledge  about  the  individual  inputs):  (A)  no 
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outside  eavesdropper  can  determine  whether  the  two  parties  are  performing  the  com¬ 
putation  or  simply  communicating  as  they  normally  do;  (B)  before  learning  J(xa,  Xb), 
neither  party  can  tell  whether  the  other  is  running  the  protocol;  (C)  at  any  point  prior 
to  or  after  the  conclusion  of  the  protocol,  each  party  can  only  determine  if  the  other 
ran  the  protocol  insofar  as  they  can  distinguish  /( xa,Xb )  from  uniformly  chosen 
random  bits.  By  defining  a  functionality  g(xA,xs )  such  that  g(xA,xs)  =  /( xa,xb ) 
whenever  /{xa^xb)  £  Y  and  g(xA,xs )  is  pseudorandom  otherwise,  covert  two-party 
computation  allows  the  construction  of  protocols  that  return  f(xA,xs)  only  when  it 
is  in  a  certain  set  of  interesting  values  Y  but  for  which  neither  party  can  determine 
whether  the  other  even  ran  the  protocol  whenever  /( xa,xb )  ^  Y.  Among  the  many 
important  potential  applications  of  covert  two-party  computation  we  mention  the 
following: 

•  Dating.  As  hinted  above,  covert  two-party  computation  can  be  used  to  prop¬ 
erly  determine  if  two  people  are  romantically  interested  in  each  other.  It  al¬ 
lows  a  person  to  approach  another  and  perform  a  computation  hidden  in  their 
normal-looking  messages  such  that:  (1)  if  both  are  romantically  interested  in 
each  other,  they  both  find  out;  (2)  if  none  or  only  one  of  them  is  interested  in 
the  other,  neither  will  be  able  to  determine  that  a  computation  even  took  place. 
In  case  both  parties  are  romantically  interested  in  each  other,  it  is  important 
to  guarantee  that  both  obtain  the  result.  If  one  of  the  parties  can  get  the  result 
while  ensuring  that  the  other  one  doesn’t,  this  party  would  be  able  to  learn 
the  other’s  input  by  pretending  he  is  romantically  interested;  there  would  be  no 
harm  for  him  in  doing  so  since  the  other  would  never  see  the  result.  However, 
if  the  protocol  is  fair  (either  both  obtain  the  result  or  neither  of  them  does), 
parties  have  a  deterrence  from  lying. 

•  Cheating  in  card  games.  Suppose  two  parties  playing  a  card  game  want 
to  determine  whether  they  should  cheat.  Each  of  them  is  self-interested,  so 
cheating  should  not  occur  unless  both  players  can  benefit  from  it.  Using  covert 
two-party  computation  with  both  players’  hands  as  input  allows  them  to  com¬ 
pute  if  they  have  an  opportunity  to  benefit  from  cheating  while  guaranteeing 
that:  (1)  neither  player  finds  out  whether  the  other  attempted  to  cheat  unless 


136 


they  can  both  benefit  from  it;  (2)  none  of  the  other  players  can  determine  if  the 
two  are  secretly  planning  to  collude. 

•  Bribes.  Deciding  whether  to  bribe  an  official  can  be  a  difficult  problem.  If 
the  official  is  corrupt,  bribery  can  be  extremely  helpful  and  sometimes  neces¬ 
sary.  However,  if  the  official  abides  by  the  law,  attempting  to  bribe  him  can 
have  extremely  negative  consequences.  Covert  two-party  computation  allows 
individuals  to  approach  officials  and  negotiate  a  bribe  with  the  following  guar¬ 
antees:  (1)  if  the  official  is  willing  to  accept  bribes  and  the  individual  is  willing 
to  give  them,  the  bribe  is  agreed  to;  (2)  if  at  least  one  of  them  is  not  willing  to 
participate  in  the  bribe,  neither  of  them  will  be  able  to  determine  if  the  other 
attempted  or  understood  the  attempt  of  bribery;  (3)  the  official’s  supervisor, 
even  after  seeing  the  entire  sequence  of  messages  exchanged,  will  not  be  able  to 
determine  if  the  parties  performed  or  attempted  bribery. 

•  Covert  Authentication.  Imagine  that  Alex  works  for  the  CIA  and  Bob  works 
for  Mossad.  Both  have  infiltrated  a  single  terrorist  cell.  If  they  can  discover 
their  “mutual  interest”  they  could  pool  their  efforts;  thus  both  should  be  look¬ 
ing  for  potential  collaborators.  On  the  other  hand,  suggesting  something  out 
of  the  ordinary  is  happening  to  a  normal  member  of  the  cell  would  likely  be 
fatal.  Running  a  covert  computation  in  which  both  parties’  inputs  are  their 
(unforgeable)  credentials  and  the  result  is  l1'  if  they  are  allies  and  uniform  bits 
otherwise  will  allow  Alex  and  Bob  to  authenticate  each  other  such  that  if  Bob 
is  NOT  an  ally,  he  will  not  know  that  Alex  was  even  asking  for  authentica¬ 
tion,  and  vice-versa.  (Similar  situations  occur  in,  e.g.,  planning  a  coup  d’etat  or 
constructing  a  zombie  network) 

•  Cooperation  between  competitors.  Imagine  that  Alice  and  Bob  are  com¬ 
peting  online  retailers  and  both  are  being  compromised  by  a  sophisticated 
cracker.  Because  of  the  volume  of  their  logs,  neither  Alice  nor  Bob  can  draw  a 
reliable  inference  about  the  location  of  the  hacker;  statistical  analysis  indicates 
about  twice  as  many  attack  events  are  required  to  isolate  the  cracker.  Thus  if 
Alice  and  Bob  were  to  compare  their  logs,  they  could  solve  their  problem.  But 
if  Alice  admits  she  is  being  hacked  and  Bob  is  not,  he  will  certainly  use  this 
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information  to  take  her  customers;  and  vice-versa.  Using  covert  computation  to 
perform  the  log  analysis  online  can  break  this  impasse.  If  Alice  is  concerned  that 
Bob  might  fabricate  data  to  try  and  learn  something  from  her  logs,  the  com¬ 
putation  could  be  modified  so  that  when  an  attacker  is  identified,  the  output  is 
both  an  attacker  and  a  signed  contract  stating  that  Alice  is  due  a  prohibitively 
large  fine  (for  instance,  $1  Billion  US)  if  she  can  determine  that  Bob  falsified 
his  log,  and  vice-versa.  Similar  situations  occur  whenever  cooperation  might 
benefit  mutually  distrustful  competitors. 

Our  protocols  make  use  of  provably  secure  steganography  [4,  7,  34,  53]  to  hide  the 
computation  in  innocent-looking  communications.  Steganography  alone,  however,  is 
not  enough.  Combining  steganography  with  two-party  computation  in  the  obvious 
black-box  manner  (i.e.,  forcing  all  the  parties  participating  in  an  ordinary  two-party 
protocol  to  communicate  steganographically)  yields  protocols  that  are  undetectable  to 
an  outside  observer  but  does  not  guarantee  that  the  participants  will  fail  to  determine 
if  the  computation  took  place.  Depending  on  the  output  of  the  function,  we  wish  to 
hide  that  the  computation  took  place  even  from  the  participants  themselves. 

Synchronization,  and  who  knows  what? 

Given  the  guarantees  that  covert-two  party  computation  offers,  it  is  important  to 
clarify  what  the  parties  know  and  what  they  don’t.  We  assume  that  both  parties  know 
a  common  circuit  for  the  function  that  they  wish  to  evaluate,  that  they  know  which 
role  they  will  play  in  the  evaluation,  and  that  they  know  when  to  start  evaluating  the 
circuit  if  the  computation  is  going  to  occur.  An  example  of  such  “synchronization” 
information  could  be:  “if  we  will  determine  whether  we  both  like  each  other,  the 
computation  will  start  with  the  first  message  exchanged  after  5pm.”  (Notice  that 
since  such  details  can  be  published  as  part  of  the  protocol  specification,  there  is  no 
need  for  either  party  to  indicate  that  they  wish  to  compute  anything  at  all)  We  assume 
adversarial  parties  know  all  such  details  of  the  protocols  we  construct. 
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Hiding  Computation  vs.  Hiding  inputs 


Notice  that  covert  computation  is  not  about  hiding  which  function  Alice  and  Bob  are 
interested  in  computing,  which  could  be  accomplished  via  standard  SFE  techniques: 
Covert  Computation  hides  the  fact  that  Alice  and  Bob  are  interested  in  computing  a 
function  at  all.  This  point  is  vital  in  the  case  of,  e.g.,  covert  authentication,  where 
expressing  a  desire  to  do  anything  out  of  the  ordinary  could  result  in  the  death  of 
one  of  the  parties.  In  fact,  we  assume  that  the  specific  function  to  be  computed  (if 
any)  is  known  to  all  parties.  This  is  analogous  to  the  difference  in  security  goals 
between  steganography  -  where  the  adversary  is  assumed  to  know  which  message,  if 
any,  is  hidden  -  and  encryption,  where  the  adversary  is  trying  to  decide  which  of  two 
messages  are  hidden. 

Roadmap. 

The  high-level  view  of  our  presentation  is  as  follows.  First,  we  will  define  the  secu¬ 
rity  properties  of  covert  two-party  computation.  Then  we  will  present  two  protocols. 
The  first  protocol  we  present  will  be  a  modification  of  Yao’s  “garbled  circuit”  two- 
party  protocol  in  which,  except  for  the  oblivious  transfer,  all  messages  generated  are 
indistinguishable  from  uniform  random  bits.  We  construct  a  protocol  for  oblivious 
transfer  that  generates  messages  that  are  indistinguishable  from  uniform  random  bits 
(under  the  Decisional  Diffie-Hellman  assumption)  to  yield  a  complete  protocol  for 
two-party  secure  function  evaluation  that  generates  messages  indistinguishable  from 
random  bits.  We  then  use  steganography  to  transform  this  into  a  protocol  that  gener¬ 
ates  messages  indistinguishable  from  “ordinary”  communications.  The  protocol  thus 
constructed,  however,  is  not  secure  against  malicious  adversaries  nor  is  it  fair  (since 
neither  is  Yao’s  protocol  by  itself).  We  therefore  construct  another  protocol,  which 
uses  our  modification  of  Yao’s  protocol  as  a  subroutine,  that  satisfies  fairness  and  is 
secure  against  malicious  adversaries,  in  the  Random  Oracle  Model.  The  major  diffi¬ 
culty  in  doing  so  is  that  the  standard  zero-knowledge-based  techniques  for  converting 
a  protocol  in  the  honest-but-curious  model  into  a  protocol  secure  against  malicious 
adversaries  cannot  be  applied  in  our  case,  since  they  reveal  that  that  the  other  party 
is  running  the  protocol. 
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Related  Work. 


Secure  two-party  computation  was  introduced  by  Yao  [63].  Since  then,  there  have 
been  several  papers  on  the  topic  and  we  refer  the  reader  to  a  survey  by  Goldreich  [26] 
for  further  references.  Constructions  that  yield  fairness  for  two-party  computation 
were  introduced  by  Yao  [64],  Galil  et  ah  [24],  Brickcll  et  al.  [15],  and  many  others 
(see  [51]  for  a  more  complete  list  of  such  references).  The  notion  of  covert  two-party 
computation,  however,  appears  to  be  completely  new. 

Notation. 

We  say  a  function  p  :  Id  — >  [0, 1]  is  negligible  if  for  every  c  >  0,  for  all  sufficiently 
large  k,  p(k)  <  l/kc.  We  denote  the  length  (in  bits)  of  a  string  or  integer  s  by  |s| 
and  the  concatenation  of  string  Si  and  string  s2  by  Si||s2-  We  let  £4  denote  the 
uniform  distribution  on  k  bit  strings.  If  T>  is  a  distribution  with  finite  support  X, 
we  define  the  minimum  entropy  of  V  as  H^lV)  =  minxex{log2(l/ Pr£>[;c])}.  The 
statistical  distance  between  two  distributions  C  and  V  with  joint  support  X  is  defined 
by  A  (C.V)  =  (1/2  )£,«  Pr©[a:]  —  Pr^ [x]  | .  Two  sequences  of  distributions, 
and  are  called  computationally  indistinguishable,  written  C  ~  V,  if  for  any 

probabilistic  polynomial-time  A,  AdvCAD(k)  =  |Pr[A((4)  =  1]  —  Pr[A(I4)  =  1]  is 
negligible  in  k. 


7.2  Covert  Two-Party  Computation  Against  Semi- 
Honest  Adversaries 

We  now  present  a  protocol  for  covert  two-party  computation  that  is  secure  against 
semi-honest  adversaries  in  the  standard  model  (without  Random  Oracles)  and  as¬ 
sumes  that  the  decisional  Diffie-Hcllman  problem  is  hard.  The  protocol  is  based  on 
Yao’s  well-known  function  evaluation  protocol  [63]. 

We  first  define  covert  two-party  computation  formally,  following  standard  defini¬ 
tions  for  secure  two-party  computation,  and  we  then  describe  Yao’s  protocol  and  the 
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necessary  modifications  to  turn  it  into  a  covert  computation  protocol.  The  definition 
presented  in  this  section  is  only  against  honest-but-curious  adversaries  and  is  unfair  in 
that  only  one  of  the  parties  obtains  the  result.  In  Section  4  we  will  define  covert  two- 
party  computation  against  malicious  adversaries  and  present  a  protocol  that  is  fair: 
either  both  parties  obtain  the  result  or  neither  of  them  does.  The  protocol  in  Section 
4  uses  the  honest-but-curious  protocol  presented  in  this  section  as  a  subroutine. 

7.2.1  Definitions 

Formally,  a  two-party,  n- round  protocol  is  a  pair  II  =  (P0,  Pi)  of  programs.  The 
computation  of  II  proceeds  as  follows:  at  each  round,  Po  is  run  on  its  input  xq, 
the  security  parameter  lfc,  a  state  .s'o,  and  the  (initially  empty)  history  of  messages 
exchanged  so  far,  to  produce  a  new  message  m  and  an  internal  state  ,sq.  The  message 
m  is  sent  to  Pi,  which  is  run  on  its  input  xi,  the  security  parameter  lk,  a  state  si,  and 
the  history  of  messages  exchanged  so  far  to  produce  a  message  that  is  sent  back  to  Po, 
and  a  state  si  to  be  used  in  the  next  round.  Denote  by  (Pq(xo),  Pi(xi))  the  transcript 
of  the  interaction  of  P0  with  input  Xq  and  Pi  with  input  X\.  This  transcript  includes 
all  messages  exchanged  between  P0  and  Pi  along  with  the  timestep  in  which  they 
were  sent.  After  n  rounds,  each  party  P  G  {P0,Pi}  halts  with  an  output,  denoted 
by  IIp(xo,a:i)  =  IIp(x).  We  say  that  II  correctly  realizes  the  functionality  f  if  for  at 
least  one  P  G  {P0,Pi},  Pr[IIp(x)  =  fix)]  >  1  —  v>(k),  where  v  is  negligible. 

For  a  G  {0, 1},  we  denote  by  (xq,X\)  the  view  of  party  Pa  on  input  xa  when 
interacting  with  P\-a  on  input  Xi_a.  The  view  includes  PCT’s  input  xa,  private  random 
bits,  and  all  messages  sent  by  P0  and  Pi.  We  say  II  securely  realizes  the  functionality 
f  if  II  correctly  realizes  /  and,  for  any  Pf  and  X\_a)  there  is  a  simulator  P"  and  an 

pf 

xa  such  that  Pf(f(x0,xi))  ~  FnCT(a;0, a?i).  Notice  that  given  f(x0,x i),  Pf  could  just 
use  Pf  to  simulate  his  interaction  with  P\  without  actually  running  II.  Thus  if  II 
securely  implements  /,  neither  party  learns  more  from  the  interaction  than  could  be 
learned  from  just  f(x0,x i). 

Define  the  view  of  party  P  interacting  in  protocol  II  up  through  round  j  by 
VUP  (x).  When  party  Pa  is  not  executing  II  but  is  drawing  from  B  instead,  we  denote 
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this  “protocol”  by  U  :  Ba. 


Definition  7.1.  (Covert  two-party  protocol  against  honest-but-curious  adversaries) 
We  say  an  n-round,  two-party  protocol  (P0,  P\ )  covertly  realizes  the  functionality  f 
for  bidirectional  channel  B  if  it  securely  realizes  /  and  if  it  has  the  following  additional 
properties: 


1.  (External  covertness):  For  any  input  x,  (Po(xq),  Pi(xi))  ~  B. 


2.  (Internal  covertness):  For  any  input  x ,  V^°n{x)  ~  V^?B  n(x)  and  V^^x) 


Vn-B0,n-l(X)- 


3.  (Final  Covertness):  For  every  PPT  D  there  exists  a  PPT  D'  and  a  negligible 
ch  that  fo 

J^°’XllUl(k)  +  u(k). 


V^1{X0,X1),V^1B  (X0,zi) 

v  such  that  for  any  X\  and  any  distribution  X0,  AdvD  0  (/c)  < 

Adv 


In  other  words,  until  the  final  round,  neither  party  can  distinguish  between  the 
case  that  the  other  is  running  the  protocol  or  just  drawing  from  B ;  and  after  the  final 
message,  P0  still  cannot  tell,  while  P1  can  only  distinguish  the  cases  if  f(x0,x i)  and 
Um  are  distinguishable.  Note  that  property  2  implies  property  1,  since  P0  could  apply 
the  distinguisher  to  his  view  (less  the  random  bits). 

We  will  slightly  abuse  notation  and  say  that  a  protocol  which  has  messages  indis¬ 
tinguishable  from  random  bits  (even  given  one  party’s  view)  is  covert  for  the  uniform 
channel  U. 


7.2.2  Yao’s  Protocol  For  Two-Party  Secure  Function  Evalu¬ 
ation 

Yao’s  protocol  [63]  securely  (not  covertly)  realizes  any  functionality  /  that  is  expressed 
as  a  combinatorial  circuit.  Our  description  is  based  on  [46].  The  protocol  is  run 
between  two  parties,  the  Input  Owner  A  and  the  Program  Owner  B.  The  input  of 
A  is  a  value  x,  and  the  input  of  B  is  a  description  of  a  function  /.  At  the  end  of 
the  protocol,  B  learns  f(x)  (and  nothing  else  about  x),  and  A  learns  nothing  about 
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/.  The  protocol  requires  two  cryptographic  primitives,  pseudorandom  functions  and 
oblivious  transfer,  which  we  describe  here  for  completeness. 

Pseudorandom  Functions. 

Let  {F  :  {0,  l}k  x  {0, 1}L^  — ■>  {0,1}^}*,  denote  a  sequence  of  function  families. 
Let  A  be  an  oracle  probabilistic  adversary.  We  define  the  prf-advantage  of  A  over 
F  as  Adv^fF(/c)  =  |  Pr^[AFjf('^(lfc)  =  1]  —  Pr9[As(lfc)  =  1] | ,  where  K  <—  C/fc  and  g 
is  a  uniformly  chosen  function  from  L(k)  bits  to  l(k)  bits.  Then  F  is  pseudorandom 
if  AdvpJ^F(k)  is  negligible  in  k  for  all  polynomial-time  A.  We  will  write  Fk(-)  as 
shorthand  for  F\k\{K,  •)  when  \K\  is  known. 

Oblivious  Transfer. 

l-out-of-2  oblivious  transfer  (OT^)  allows  two  parties,  the  sender  who  knows  the 
values  mo  and  mi,  and  the  chooser  whose  input  is  c  6  {0, 1},  to  communicate  in  such 
a  way  that  at  the  end  of  the  protocol  the  chooser  learns  rna ,  while  learning  nothing 
about  mi-o-,  and  the  sender  learns  nothing  about  a.  Formally,  let  O  =  (S,  C )  be  a  pair 
of  interactive  PPT  programs.  We  say  that  O  is  correct  if  Pr [Oc((m0,  mi),  a)  =  ma\  > 
1  —  e(k)  for  negligible  e.  We  say  that  O  has  chooser  privacy  if  for  any  PPT  S'  and 
any  m0,mi,  |Pr[5'/((S" (m0,  mi),  C(cr)))  —  a]  —  -||  <  e(k)  and  O  has  sender  privacy  if 
for  any  PPT  C'  there  exists  a  o  and  a  PPT  C"  such  that  C"(ma)  ~  Vn  {{m0i m i ) ?  a)- 
We  say  that  O  securely  realizes  the  functionality  OT^f  if  O  is  correct  and  has  chooser 
and  sender  privacy. 

Yao’s  Protocol. 

Yao’s  protocol  is  based  on  expressing  /  as  a  combinatorial  circuit.  Starting  with 
the  circuit,  the  program  owner  B  assigns  to  each  wire  %  two  random  fc-bit  values 
(Wj0,  W})  corresponding  to  the  0  and  1  values  of  the  wire.  It  also  assigns  a  random 
permutation  7q  over  {0, 1}  to  the  wire.  If  a  wire  has  value  6*  we  say  it  has  “garbled” 
value  7Tj(6j)).  To  each  gate  g ,  B  assigns  a  unique  identifier  Ig  and  a  table  Tg 
which  enables  computation  of  the  garbled  output  of  the  gate  given  the  garbled  inputs. 
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Given  the  garbled  inputs  to  g,  Tg  does  not  disclose  any  information  about  the  garbled 
output  of  g  for  any  other  inputs,  nor  does  it  reveal  the  actual  values  of  the  input  bits 
or  the  output  bit. 

Assume  g  has  two  input  wires  (i,j)  and  one  output  wire  out  (gates  with  higher 
fan  in  or  fan  out  can  be  accommodated  with  straightforward  modifications) .  The 
construction  of  Tg  uses  a  pseudorandom  function  F  whose  output  length  is  k  +  1. 
The  table  Tg  is  as  follows: 


7Tj(6i) 

value 

0 

0 

(W^\n0(b0Ut))  ©  F  bj  (Ig,  0)  0  FwH  (Ig,  0) 

j  1 

0 

1 

(W^\7T0(b0Ut))  0  Fwbs  (Ig,  0)  0  Fwbt  {Ig,  1) 

1 

0 

{W^\7T0{b0ut))  0  F  bj  (Ig,  1)  0  Fwbz  {Ig,  0) 

yy  j  i 

1 

1 

{W^\7T0{b0ut))  0  F  b]  {Ig,  1)  0  Fwb,  {Ig,  1) 
_ —2 _ l _ 

To  compute  f(x),  B  computes  garbled  tables  Tg  for  each  gate  g,  and  sends  the  tables 
to  A.  Then,  for  each  circuit  input  wire  i,  A  and  B  perform  an  oblivious  transfer, 
where  A  plays  the  role  of  the  chooser  (with  a  —  hi)  and  B  plays  the  role  of  the 
sender,  with  mo  =  hT7-? || 7T* (0)  and  m\  =  W^||7Tj(l).  A  computes  7r j(bj)  for  each  output 
wire  j  of  the  circuit  (by  trickling  down  the  garbled  inputs  using  the  garbled  tables) 
and  sends  these  values  to  B ,  who  applies  ttJ1  to  learn  br  Alternatively,  B  can  send 
the  values  nj  (for  each  circuit  output  wire  j )  to  A,  who  then  learns  the  result.  Notice 
that  the  first  two  columns  of  Tg  can  be  implicitly  represented,  leaving  a  “table”  which 
is  indistinguishable  from  uniformly  chosen  bits. 

7.2.3  Steganographic  Encoding 

We  use  provably  secure  steganography  to  transform  Yao’s  protocol  into  a  covert 
two-party  protocol;  we  also  use  it  as  a  building  block  for  all  other  covert  proto¬ 
cols  presented  in  this  paper.  For  completeness  we  state  a  construction  that  has 
appeared  in  various  forms  in  [4, 16,  34],  Let  'HAS'H  denote  a  family  of  hash  functions 
H  :  D  — >  {0, 1}C  which  is  pairwise  independent,  that  is,  for  any  X\  ^  x2  €  D,  for  any 
2/i,  2/2  ^  {0,  l}m,  Pth[H(xi)  =  yi  A  H(x2 )  =  2/2]  =  l/22m.  Let  V  denote  an  arbitrary 
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probability  distribution  on  D  satisfying  H00( V)  =  £(k)  where  k  is  the  security  pa¬ 
rameter.  The  following  constructions  hide  and  recover  m  uniformly-chosen  bits  in  a 
distribution  indistinguishable  from  V  when  £{k)  —  m  —  cu(log k)  and  m  =  0(logk). 

Construction  7.2.  (Basic  steganographic  encoding/decoding  routines) 


Procedure  Basic_Encoder’: 
Input:  H  G  HASH,  c  G  {0, 1} 
Let  j  =  0 
repeat: 

sample  s  <—  V,  increment  j 
until  H(s)  =  c  OR  (j  >  k) 

Output:  s 


Procedure  Basic_Decode: 
Input:  H  G  HASH,  s  G  D 
set  c  =  H (s) 

Output:  c 


Proposition  7.3.  Let  H  HASH.  Then 


A  ((iL,  Basic_Encode'D(iL,  Um)),  (H,  X>))  <  2Am~^)A+i  _ 


The  result  follows  from  the  Leftover  Hash  Lemma  ([33],  Lemma  4.8).  Intuitively, 
it  guarantees  that  Basic_Encode(c)  will  be  (statistically)  indistinguishable  from  the 
messages  exchanged  in  a  bidirectional  channel  whenever  c  is  a  uniformly  chosen  bit 
string.  (When  we  refer  to  Basic_Encode  with  only  a  single  argument,  we  implicitly 
assume  that  an  appropriate  h  has  been  chosen  and  is  publicly  accessible  to  all  parties.) 

Thus,  to  guarantee  covertness  for  channel  B,  we  will  ensure  that  all  our  protocols 
generate  messages  that  are  indistinguishable  from  uniformly  chosen  random  bits  and 
then  encode  these  messages  with  Basic_Encode.  Formally,  suppose  n  =  (P0,  P\ ) 
is  an  arbitrary  two-party  protocol  which  securely  realizes  the  functionality  /.  We 
will  construct  a  protocol  £n  =  (S^f0,  Af1)  which  has  the  property  that  if  V^b(x)  is 
indistinguishable  from  uniformly  chosen  bits  (that  is,  n  covertly  realizes  /  for  the 
uniform  channel),  then  £n  covertly  realizes  the  functionality  /  for  channel  B.  We 
assume  that  Pq,  Pi  have  the  property  that,  given  a  partial  input,  they  return  the 
string  e,  indicating  that  more  bits  of  input  are  needed.  Then  S^b  has  the  following 
round  function  (which  simply  uses  Basic_Encode  and  Basic_Decode  to  encode  and 
decode  all  messages  exchanged  by  Pq  and  Pi): 
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Construction  7.4.  (Transformation  to  a  covert  protocol) 

Procedure  S^b: 

Input:  history  h  G  H,  state,  document  s  G  D 
draw  d  <—  B^b 

if  (state. status  =  “receiving”)  then 
set  state. msg  =  state. msg||Basic_Decode(s) 
set  c  =  Pb(stacte.msg) 

if  (c  7^  e)  set  state. status  =  “sending”;  set  state. msg  =  c 
if  (state. status  =  “sending”)  then 
if  (d  ^_L)  then 

set  c  =  first  m  bits  of  state. msg 

set  state. msg1  =  stat e.msg  without  the  first  m  bits 

set  d  =  Basic_Encode^6^-L^(c) 

if  state. msg  =  “”  set  state. status  =  “receiving” 

Output:  message  d,  state 

Theorem  7.5.  If  li  covertly  realizes  the  functionality  f  for  the  uniform  channel,  then 
£n  covertly  realizes  f  for  the  bidirectional  channel  B. 

Proof.  Let  kc  be  an  upper  bound  on  the  number  of  bits  in  (P0(x0),  Pi  (ad)).  Then  £n 
transmits  at  most  2 kc/m  (non-empty)  documents.  Suppose  there  is  a  distinguisher 
D  for  Vlb  (x)  from  (x)  with  significant  advantage  e.  Then  D  can  be  used  to 

distinguish  V^b(x)  from  V^bu  (x),  by  simulating  each  round  as  in  S  to  produce  a 
transcript  T;  If  the  input  is  uniform,  then  A (T,B)  <  (kc/m) 22-(dfe)~m)/2  —  u(k), 
and  if  the  input  is  from  II,  then  T  is  identical  to  Vffb(x).  Thus  D's  advantage  in 
distinguishing  II  from  II  :  Ui-b  is  at  least  e  —  v{k).  □ 

IMPORTANT:  For  the  remainder  of  the  paper  we  will  present  protocols  II  that 
covertly  realize  /  for  U.  It  is  to  be  understood  that  the  final  protocol  is  meant  to 
be  £n,  and  that  when  we  state  that  “II  covertly  realizes  the  functionality  /”  we  are 
referring  to  £n. 
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7.2.4  Covert  Oblivious  Transfer 


As  mentioned  above,  we  guarantee  the  security  of  our  protocols  by  ensuring  that  all 
the  messages  exchanged  are  indistinguishable  from  uniformly  chosen  random  bits.  To 
this  effect,  we  present  a  modification  of  the  Naor-Pinkas  [45]  protocol  for  oblivious 
transfer  that  ensures  that  all  messages  exchanged  are  indistinguishable  from  uniform 
when  the  input  messages  mo  and  mj  are  uniformly  chosen.  Our  protocol  relies  on  the 
well-known  integer  decisional  Diffie-Hcllman  assumption: 

Integer  Decisional  Diffie-Hellman. 

Let  P  and  Q  be  primes  such  that  Q  divides  P  —  1,  let  Zp  be  the  multiplicative 
group  of  integers  modulo  P,  and  let  g  G  Zp  have  order  Q.  Let  A  be  an  adversary 
that  takes  as  input  three  elements  of  Zp  and  outputs  a  single  bit.  Define  the  DDH 
advantage  of  A  over  ( g,P,Q )  as:  Adv^h(g,  P,  Q)  =  \  PraAr[Ar(ga,gb,gab,g,P,Q)  = 
1]  -Pra,6,c,r[A r(ga,gb,gc,g,P,Q)  =  1]|,  where  A.r  denotes  the  adversary  A  running 
with  random  tape  r,  a,  b,  c  are  chosen  uniformly  at  random  from  Z q  and  all  the 
multiplications  are  over  Zp.  The  Integer  Decisional  Diffie-Hcllman  assumption  (DDH) 
states  that  for  every  PPT  A,  for  every  sequence  {(Pk,  Qk,  gk)}k  satisfying  |Pfc|  =  k 
and  \Qk\  =  ©(£;),  Advd^b(gk,  Pk,  Qk)  is  negligible  in  k. 

Setup. 

Let  p  —  rq  +  1  where  2 k  <  p  <  2k+1,  q  is  a  large  prime,  and  gcd(r,  q)  =  1;  let  g 
generate  Z*  and  thus  7  =  gr  generates  the  unique  multiplicative  subgroup  of  order 
q ;  let  f  be  the  least  integer  r  such  that  rf  =  1  mod  q.  Assume  |m0|  =  |mi|  <  k/2. 
Let  H  :  {0,  l}2k  xZp->  {0,  l}fc/2  be  a  pairwise- independent  family  of  hash  functions. 
Define  the  randomized  mapping  <p  :  (7)  — >  Z*  by  4>{h)  =  Kr g,3q ,  for  a  uniformly  chosen 
f3  G  Zr;  notice  that  <f>{h)r  =  h  and  that  for  a  uniformly  chosen  h  G  (7),  is  a 
uniformly  chosen  element  of  Z*.  The  following  protocol  is  a  simple  modification  of 
the  Naor-Pinkas  2-round  oblivious  transfer  protocol  [45]: 

Construction  7.6.  COT: 
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1.  On  input  a  E  {0,1},  C  chooses  uniform  a,b  E  Zg,  sets  ca  =  ab  mod  q  and 
uniformly  chooses  ci_CT  G  7Lq.  C  sets  x  =  7“,  y  =  zq  =  7C0,  27  =  yci  and  sets 
x'  =  (f)(x),y'  =  (j)(y),z'0  =  4>(zo),z[  =  4>(zi).  If  the  most  significant  bits  of  all  of 
x' ,  y' ,  Zq,  z[  are  0,  C  sends  the  least  significant  k  bits  of  each  to  S ;  otherwise  C 
picks  new  a,  b,  c\-a  and  starts  over. 

2.  The  sender  recovers  x,y,z0,zi  by  raising  to  the  power  r,  picks  /0,/i  E  H  and 
then: 


•  S  repeatedly  chooses  uniform  r0,  so  E  7Lq  and  sets  wq  =  xS0Y° ,  wo  =  <t>(wo) 
until  he  finds  a  pair  with  w'0  <  2k.  He  then  sets  K0  =  ZQ°yr°. 

•  S  repeatedly  chooses  uniform  r±,  si  E  7Lq  and  sets  w \  =  xSljri,  w\  =  4>(wi) 
until  he  hnds  a  pair  with  w[  <  2k.  He  then  sets  K\  =  z^yri. 

S  sends  Wo||/o||/o(A'0)  ©  m0||wl||/i||/i(/li)  ®  mi 

3.  C  recovers  Ka  =  and  computes  m,a . 

Lemma  7.7.  S  cannot  distinguish  between  the  case  that  C  is  following  the  COT 
protocol  and  the  case  that  C  is  drawing  from  £4;  that  is, 

V£OT(m0,mU(j)  fa  VcOT:Uc(m0,mua). 

Proof.  Suppose  that  there  exists  a  distinguisher  D  with  advantage  e.  Then  there 
exists  a  DDH  adversary  A  with  advantage  at  least  e/8  —  u(k)  for  a  negligible  v.  A 
takes  as  input  a  triple  (7a,76,7c),  picks  a  random  bit  a,  sets  za  =  7C  and  picks  a 
uniform  z[_cr  E  {0,  l}fc,  and  computes  x'  =  </>(7 a),y'  =  </>(7 b),^  =  4>(za)]  if  all  three 
are  at  most  2k,  then  A  outputs  D(x\  y',  z'0,  z[),  otherwise  A  outputs  0. 

Clearly,  when  c  ^  ab , 

Pr[.l(7“,7‘,7‘;)  =  1]  >  1  Prp(VcW)  =  !]  . 

since  the  elements  passed  by  A  to  D  are  uniformly  chosen  and  D  calls  A  with  proba¬ 
bility  at  least  1/8  (since  each  of  x',  y',  z'a  are  greater  than  2k  with  probability  at  most 
1/2).  But  when  c  =  ab,  then 

Pr[A(7“,7t,7c)  =  1]  >  (1/8  -  !/(*))  PrptV&r)  =  1]  , 
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since  the  elements  passed  by  A  to  D  are  chosen  exactly  according  to  the  distribution 
on  C’s  output  specified  by  COT ;  and  since  the  probability  that  D  is  invoked  by  A 
is  at  least  1/8  when  c  7^  ab  it  can  be  at  most  v(k)  less  when  c  =  ab,  by  the  Integer 
DDH  assumption.  Thus  the  DDH  advantage  of  A  is  at  least  e/8  —  u(k).  Since  e/8 
must  be  negligible  by  the  DDH  assumption,  we  have  that  D's  advantage  must  also 
be  negligible.  □ 

Lemma  7.8.  When  m0,mi  <—  I4/2,  C  cannot  distinguish  between  the  case  that  S  is 
following  the  COT  protocol  and  the  case  that  S  is  sending  uniformly  chosen  strings. 
That  is,  VoQif(Uk/2,  Uk/2-,  °”)  ~  ^CXDT:Ws(Afc/2,  Uk/2,  O’). 

Proof.  The  group  elements  Wq ,  w  1  are  uniformly  chosen  by  S’,  thus  when  mo,  mi  are 
uniformly  chosen,  the  message  sent  by  S  must  also  be  uniformly  distributed.  □ 

Lemma  7.9.  The  COT  protocol  securely  realizes  the  OT^  functionality. 

Proof.  The  protocol  described  by  Pinkas  and  Naor  is  identical  to  the  COT  protocol, 
with  the  exception  that  (p  is  not  applied  to  the  group  elements  x,  y,  zq,  z\,wq,  w\  and 
these  elements  are  not  rejected  if  they  are  greater  than  2k .  Suppose  an  adversarial 
sender  can  predict  o  with  advantage  e  in  COT;  then  he  can  be  used  to  predict  o 
with  advantage  e/16  —  u(k)  in  the  Naor-Pinkas  protocol,  by  applying  the  map  (f) 
to  the  elements  x,y,Zo,z±  and  predicting  a  coin  flip  if  not  all  are  less  than  2k,  and 
otherwise  using  the  sender’s  prediction  against  the  message  that  COT  would  send. 
Likewise,  any  bit  a  chooser  can  predict  about  (mo, mi)  with  advantage  e  in  COT, 
can  be  predicted  with  advantage  e/4  in  the  Naor-Pinkas  protocol:  the  Chooser’s 
message  can  be  transformed  into  elements  of  (7)  by  taking  the  components  to  the 
power  r,  and  the  resulting  message  of  the  Naor-Pinkas  sender  can  be  transformed  by 
sampling  from  w'0  =  (p(w0),w,1  =  <p(w  1)  and  predicting  a  coin  flip  if  either  is  greater 
than  2k,  but  otherwise  giving  the  prediction  of  the  COT  chooser  on  Wo||/o||/o(-f^o)  © 
™0|K||/i||/i(Ad)  ©mi.  □ 

Conjoining  these  three  lemmas  gives  the  following  theorem: 

Theorem  7.10.  Protocol  COT  covertly  realizes  the  uniform- OT\  functionality 
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7.2.5  Combining  The  Pieces 


We  can  combine  the  components  developed  up  to  this  point  to  make  a  protocol 
which  covertly  realizes  any  two-party  functionality.  The  final  protocol,  which  we  call 
COVERT- YAO,  is  simple:  assume  that  both  parties  know  a  circuit  Cf  computing  the 
functionality  /.  Bob  first  uses  Yao’s  protocol  to  create  a  garbled  circuit  for 
Alice  and  Bob  perform  \xa\  covert  oblivious  transfers  for  the  garbled  wire  values 
corresponding  to  Alice’s  inputs.  Bob  sends  the  garbled  gates  to  Alice.  Finally,  Alice 
collects  the  garbled  output  values  and  sends  them  to  Bob,  who  de-garbles  these  values 
to  obtain  the  output. 

Theorem  7.11.  The  covert- YAO  protocol  covertly  realizes  the  functionality  f. 

Proof.  That  (Alice,  Bob)  securely  realize  the  functionality  /  follows  from  the  security 
of  Yao’s  protocol.  Now  consider  the  distribution  of  each  message  sent  from  Alice  to 
Bob: 


•  In  each  execution  of  COT:  each  message  sent  by  Alice  is  uniformly  distributed 

•  Final  values:  these  are  masked  by  the  uniformly  chosen  bits  that  Bob  chose  in 
garbling  the  output  gates.  To  an  observer,  they  are  uniformly  distributed. 

Thus  Bob’s  view,  until  the  last  round,  is  in  fact  identically  distributed  when  Alice 
is  running  the  protocol  and  when  she  is  drawing  from  U.  Likewise,  consider  the 
messages  sent  by  Bob: 

•  In  each  execution  of  COT:  because  the  Wf  from  Yao’s  protocol  are  uniformly 
distributed,  Theorem  7.10  implies  that  Bob’s  messages  are  indistinguishable 
from  uniform  strings. 

•  When  sending  the  garbled  circuit,  the  pseudorandomness  of  F  and  the  uniform 
choice  of  the  Wf  imply  that  each  garbled  gate,  even  given  one  garbled  input 
pair,  is  indistinguishable  from  a  random  string. 

Thus  Alice’s  view  after  all  rounds  of  the  protocol  is  indistinguishable  from  her  view 
when  Bob  draws  from  U. 
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If  Bob  can  distinguish  between  Alice  running  the  protocol  and  drawing  from  B 
after  the  final  round,  then  he  can  also  be  used  to  distinguish  between  /(Xa,xb)  and 
Ui .  The  approach  is  straightforward:  given  a  candidate  y ,  use  the  simulator  from 
Yao’s  protocol  to  generate  a  view  of  the  “data  layer.”  If  y  <—  /( Xa,xb ),  then,  by 
the  security  of  Yao’s  protocol,  this  view  is  indistinguishable  from  Bob’s  view  when 
Alice  is  running  the  covert  protocol.  If  y  «—  Ui,  then  the  simulated  view  of  the  final 
step  is  distributed  identically  to  Alice  drawing  from  U.  Thus  Bob’s  advantage  will  be 
preserved,  up  to  a  negligible  additive  term.  □ 

Notice  that  as  the  protocol  covert- yao  is  described,  it  is  not  secure  against  a 
malicious  Bob  who  gives  Alice  a  garbled  circuit  with  different  operations  in  the  gates, 
which  could  actually  output  some  constant  message  giving  away  Alice’s  participation 
even  when  the  value  f(x o,3u)  would  not.  If  instead  Bob  sends  Alice  the  masking 
values  for  the  garbled  output  bits,  Bob  could  still  prevent  Alice  from  learning  f(x0,  or) 
but  could  not  detect  her  participation  in  the  protocol  in  this  way.  We  use  this  version 
of  the  protocol  in  the  next  section. 


7.3  Fair  Covert  Two-party  Computation  Against 
Malicious  Adversaries 

The  protocol  presented  in  the  previous  section  has  two  serious  weaknesses.  First, 
because  Yao’s  construction  conceals  the  function  of  the  circuit,  a  malicious  Bob  can 
garble  a  circuit  that  computes  some  function  other  than  the  result  Alice  agreed  to 
compute.  In  particular,  the  new  circuit  could  give  away  Alice’s  input  or  output  some 
distinguished  string  that  allows  Bob  to  determine  that  Alice  is  running  the  protocol. 
Additionally,  the  protocol  is  unfair:  either  Alice  or  Bob  does  not  get  the  result. 

In  this  section  we  present  a  protocol  that  avoids  these  problems.  In  particular, 
our  solution  has  the  following  properties:  (1)  If  both  parties  follow  the  protocol,  both 
get  the  result;  (2)  If  Bob  cheats  by  garbling  an  incorrect  circuit,  neither  party  can  tell 
whether  the  other  is  running  the  protocol,  except  with  negligible  advantage;  and  (3) 
Except  with  negligible  probability,  if  one  party  terminates  early  and  computes  the 


151 


result  in  time  T,  the  other  party  can  compute  the  result  in  time  at  most  0(T).  Our 
protocol  is  secure  in  the  random  oracle  model,  under  the  Decisional  Difhe  Heilman 
assumption.  We  show  at  the  end  of  this  section,  however,  that  onr  protocol  can  be 
made  to  satisfy  a  slightly  weaker  security  condition  without  the  use  of  a  random 
oracle.  (We  note  that  the  technique  used  in  this  section  has  some  similarities  to  one 
that  appears  in  [1].) 

7.3.1  Definitions 

We  assume  the  existence  of  a  non-interactive  bitwise  commitment  scheme  with  com¬ 
mitments  which  are  indistinguishable  from  random  bits.  One  example  is  the  (well- 
known)  scheme  which  commits  to  b  by  CMT(b ;  (r,x))  =  r||7r(x)||(a:  •  r)  ©  b ,  where  n 
is  a  one-way  permutation  on  domain  {0,  l}fc,  x  ■  y  denotes  the  inner-product  of  x  and 
y  over  GF{ 2),  and  x,r  <—  Uk-  The  integer  DDH  assumption  implies  the  existence  of 
such  permutations. 

Let  /  denote  the  functionality  we  wish  to  compute.  We  say  that  /  is  fair  if  for 
every  distinguisher  Da  distinguishing  f(X0,X L)  from  U  given  Xa  with  advantage  at 
least  e,  there  is  a  distinguisher  Di_a  with  advantage  at  least  e  —  v(k),  for  a  negligible 
function  v.  (That  is,  if  Pq  can  distinguish  /( Xq,X\)  from  uniform,  so  can  P\.)  We 
say  /  is  strongly  fair  if  (f(X0,Xi),X0)  «  (/( 'X0,Xi),Xi). 

A  n-round,  two-party  protocol  n  =  (Pq,  Pi)  to  compute  functionality  /  is  said 
to  be  a  strongly  fair  covert  protocol  for  the  bidirectional  channel  B  if  the  following 
conditions  hold: 

•  (External  covertness):  For  any  input  x ,  (P0(x0),  Pi(xi))  ~  B. 

•  (Strong  Internal  Covertness):  There  exists  a  PPT  E  (an  extractor)  such  that 

if  PPT  D(V)  distinguishes  between  V^\{x)  and  ^x)  with  advantage  e, 

ED (x))  computes  f(x)  with  probability  at  least  e/poly(k ) 

•  (Strong  Fairness):  If  the  functionality  /  is  fair,  then  for  any  Ca  running  in  time 
T  such  that  Pr [Cafyff^x))  =  fix)]  >  e,  there  exists  a  C\-a  running  in  time 
0(T)  such  that  Pr[Ci_CT(I/n,7CT(^))  =  /(^)]  =  f^(e). 
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(Final  Covertness):  For  every  PPT  D  there  exists  a  PPT  D'  and  a  negligible  v 


such  that  for  any  xa  and  distribution 
Ad  vf^1-°'Xa)’Ul(k)  +  v(k). 


a,  Ad \D 


v£a(X1-a,xlr),v£%i_ir(X1-lr,xcr) 


(k)< 


Intuitively,  the  Internal  Covertness  requirement  states  that  “Alice  can’t  tell  if  Bob  is 
running  the  protocol  until  she  gets  the  answer,”  while  Strong  Fairness  requires  that 
“Alice  can’t  get  the  answer  unless  Bob  can.”  Combined,  these  requirements  imply 
that  neither  party  has  an  advantage  over  the  other  in  predicting  whether  the  other  is 
running  the  protocol. 


7.3.2  Construction 

As  before,  we  have  two  parties,  P0  (Alice)  and  P\  (Bob),  with  inputs  x0  and  aq, 
respectively,  and  the  function  Alice  and  Bob  wish  to  compute  is  /  :  {0, 1}Z°  x {0,  l}Zl  — > 
{0, 1}*,  presented  by  the  circuit  Cf.  The  protocol  proceeds  in  three  stages:  COMMIT, 
COMPUTE,  and  REVEAL.  In  the  COMMIT  stage,  Alice  picks  k  +  2  strings,  r0,  and 
s0[0], . . .  ,  s0[/c],  each  k  bits  in  length.  Alice  computes  commitments  to  these  values, 
using  a  bitwise  commitment  scheme  which  is  indistinguishable  from  random  bits,  and 
sends  the  commitments  to  Bob.  Bob  does  likewise  (picking  strings  rq,  s i  [0] , . . .  ,  Si[/c]). 

The  next  two  stages  involve  the  use  of  a  pseudorandom  generator  G  :  {0,  l}fc  — ► 
{0,  l}1  which  we  will  model  as  a  random  oracle  for  the  security  argument  only:  G 
itself  must  have  an  efficiently  computable  circuit.  In  the  COMPLETE  stage,  Alice  and 
Bob  compute  two  serial  runs  (“rounds”)  of  the  covert  Yao  protocol  described  in  the 
previous  section.  If  neither  party  cheats,  then  at  the  conclusion  of  the  COMPUTE 
stage,  Alice  knows  f(x o,  aq)®G(rq)  and  Bob’s  value  si[0];  while  Bob  knows  f(x o,  aq)® 
G(r0)  and  Alice’s  value  so[0].  The  REVEAL  stage  consists  of  k  rounds  of  two  runs 
each  of  the  covert  Yao  protocol.  At  the  end  of  each  round  i,  if  nobody  cheats,  Alice 
learns  the  ith  bit  of  Bob’s  string  rq,  labeled  rq[i],  and  also  Bob’s  value  si[i],  and  Bob 
learns  ro[i],  <So[i].  After  k  rounds  in  which  neither  party  cheats,  Alice  thus  knows  rq 
and  can  compute  f(x o,aq)  by  computing  the  exclusive-or  of  G(rq)  with  the  value  she 
learned  in  the  COMPLETE  stage,  and  Bob  can  likewise  compute  the  result. 

Each  circuit  sent  by  Alice  must  check  that  Bob  has  obeyed  the  protocol;  thus  at 
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every  round  of  every  stage,  the  circuit  that  Alice  sends  to  Bob  takes  as  input  the 
opening  of  all  of  Bob’s  commitments,  and  checks  to  see  that  all  of  the  bits  Alice  has 
learned  so  far  are  consistent  with  Bob’s  input.  The  difficulty  to  overcome  with  this 
approach  is  that  the  result  of  the  check  cannot  be  returned  to  Alice  without  giving 
away  that  Bob  is  running  the  protocol.  To  solve  this  problem,  Alice’s  circuits  also  take 
as  input  the  last  value  so[i  —  1]  that  Bob  learned.  If  Alice’s  circuit  ever  finds  that  the 
bits  she  has  learned  are  inconsistent  with  Bob’s  input,  or  that  Bob’s  input  for  Soft  —  1] 
is  not  consistent  with  the  actual  value  of  So[i  —  1],  the  output  is  a  uniformly  chosen 
string  of  the  appropriate  length.  Once  this  happens,  all  future  outputs  to  Bob  will 
also  be  independently  and  uniformly  chosen,  because  he  will  have  the  wrong  value  for 
s0[i],  which  will  give  him  the  wrong  value  for  s0[i  +  1],  etc.  Thus  the  values  s0[l, . . .  ,  k] 
serve  as  “state”  bits  that  Bob  maintains  for  Alice.  The  analogous  statements  hold 
for  Bob’s  circuits  and  Alice’s  inputs. 

Construction  7.12.  (Fair  covert  two-party  computation) 

Inputs  and  setup.  To  begin,  each  party  Pa  chooses  k  +  2  random  strings  ra, 
So-[0],. . .  ,sa[k\  <—  Uk •  Pa  s  inputs  to  the  protocol  are  then  Xa  =  (xa,  ra,  . . .  &]). 

COMMIT  stage.  Each  party  Pa  computes  the  commitment  Ka  =  CMT(Xa]  pa) 
and  sends  this  commitment  to  the  other  party.  Denote  by  Ka  the  value  that  Pa 
interprets  as  a  commitment  to  Xi_a,  that  is,  K0  denotes  the  value  Alice  interprets  as 
a  commitment  to  Bob’s  input  X\. 

COMPUTE  stage.  The  COMPUTE  stage  consists  of  two  serial  runs  of  the  covert- 
yao  protocol. 

1.  Bob  garbles  the  circuit  COMPUTE!  shown  in  figure  7.1,  which  takes  Xq,  r0, 
s0[0], . . .  ,s0[A:],  and  p0  as  input  and  outputs  G(ri )  ©  f(x0,  x1)||s1[0]  if  K\  is 
a  commitment  to  X0.  If  this  check  fails,  COMPUTE!  outputs  a  uniformly 
chosen  string,  which  has  no  information  about  f(xo,Xi)  or  Si[0].  Bob  and  Alice 
perform  the  COVERT- YAO  protocol;  Alice  labels  her  result  To  1 1  So  [0] . 

2.  Alice  garbles  the  circuit  computEq  shown  in  figure  7.1,  which  takes  x\,  rr, 
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computect (xi-^pr,  s[0  . . .  k\,p)  = 

REVEAL^  (xi_CT,  Si_ff  [i  - 1] ,  r,  Si_a  [0...k},p)  = 

if  (Ka  =  CMT(xi-(7,r,s;p)) 

Let  F  =  G(r)  ©  f(x0,  x±) 

then  set  F  =  G[ra )  ©  f(x o,aq) 

if  (Ka  =  CMT(xi-a,r,si-a-,  p)  and 

set  S  =  So-[0]  else  draw  F  •*—  Ui, 

F  =  Fa  and 

draw  S  * —  U^. 

Ra[i  —  1]  =  r[i  —  1]  and 

output  F\\S 

Ai_o-[i  —  1]  =  sa[i  —  1]  and 

Sa[i  —  1]  =  s\-a[i  —  1])  then 
set  R  =  ra  [i] ,  S  =  sa  [i] 
else  draw  R  <—  {0, 1},  S  <—  Uk 
output  R\\S 

Figure  7.1:  The  circuits  COMPUTE  and  REVEAL. 


.si  [()],. . .  ,.s i  [/.-],  and  p\  as  input  and  outputs  G(r0)  ©  f(%o,  xi)||so[0]  if  K0  is  a 
commitment  to  X\.  If  this  check  fails,  COMPUTEo  outputs  a  uniformly  chosen 
string,  which  has  no  information  about  f(x o,  X\)  or  so[0].  Bob  and  Alice  perform 
the  covert- yao  protocol;  Bob  labels  his  result  F\  ||,Si  [0]. 


REVEAL  stage.  The  REVEAL  stage  consists  of  k  rounds,  each  of  which  consists 
of  2  runs  of  the  COVERT- YAO  protocol: 

1.  in  round  i,  Bob  garbles  the  circuit  REVEAL^  shown  in  figure  7.1,  which  takes 
input  To,  Sq [i  —  1],  ro,  so[0  . . .  k\,  po  and  checks  that: 

•  Bob’s  result  from  the  COMPUTE  stage,  F\ ,  is  consistent  with  xq,  tq. 

•  The  bit  R  \  [i  —  1]  which  Bob  learned  in  round  i  —  1  is  equal  to  bit  %  —  1 
of  Alice’s  secret  tq.  (By  convention,  and  for  notational  uniformity,  we  will 
define  i?o[0]  =  -Ri[0]  =  r0[0]  =  ri[0]  =  0) 

•  The  state  So[i  —  1]  that  Bob’s  circuit  gave  Alice  in  the  previous  round  was 
correct.  (Meaning  Alice  obeyed  the  protocol  up  to  round  i  —  1) 

•  Finally,  that  the  state  Si[i  —  1]  revealed  to  Bob  in  the  previous  round  was 
the  state  so[i  —  1]  which  Alice  committed  to  in  the  COMMIT  stage. 


155 


If  all  of  these  checks  succeed,  Bob’s  circuit  outputs  bit  i  of  rq  and  state  sq  [?']; 
otherwise  the  circuit  outputs  a  uniformly  chosen  k  +  1-bit  string.  Alice  and  Bob 
perform  covert- yao  and  Alice  labels  the  result  Ro[i],  So[i]. 

2.  Alice  garbles  the  circuit  REVEALq  depicted  in  figure  7.1  which  performs  the 
analogous  computations  to  REVEAL^,  and  performs  the  COVERT- YAO  protocol 
with  Bob.  Bob  labels  the  result  R\  [i] ,  S±  [f] . 

After  k  such  rounds,  if  Alice  and  Bob  have  been  following  the  protocol,  we  have 
R\  =  ro  and  Ro  =  rq  and  both  parties  can  compute  the  result.  The  “states”  s  are 
what  allow  Alice  and  Bob  to  check  that  all  previous  outputs  and  key  bits  (bits  of  ro 
and  r i )  sent  by  the  other  party  have  been  correct,  without  ever  receiving  the  results 
of  the  checks  or  revealing  that  the  checks  fail  or  succeed. 

Theorem  7.13.  Construction  7.12  is  a  strongly  fair  covert  protocol  realizing  the 
functionality  f 

Proof.  The  correctness  of  the  protocol  follows  by  inspection.  The  two-party  security 
follows  by  the  security  of  Yao’s  protocol.  Now  suppose  that  some  party,  wlog  Alice, 
cheats  (by  sending  a  circuit  which  computes  an  incorrect  result)  in  round  j.  Then,  the 
key  bit  R0[j  + 1]  and  state  ,S'0 [j  + 1]  Alice  computes  in  round  j  + 1  will  be  randomized; 
and  with  overwhelming  probability  every  subsequent  result  that  Alice  computes  will 
be  useless.  Assuming  Alice  can  distinguish  f(x o,Ab)  from  uniform,  she  can  still 
compute  the  result  in  at  most  2k~3  time  by  exhaustive  search  over  the  remaining  key 
bits.  By  successively  guessing  the  round  at  which  Alice  began  to  cheat,  Bob  can 
compute  the  result  in  time  at  most  2k~3+2.  If  Alice  aborts  at  round  j,  Bob  again 
can  compute  the  result  in  time  at  most  2k~3+{ .  If  Bob  cheats  in  round  j  by  giving 
inconsistent  inputs,  with  high  probability  all  of  his  remaining  outputs  are  randomized; 
thus  cheating  in  this  way  gives  him  no  advantage  over  aborting  in  round  j  —  1.  Thus, 
the  fairness  property  is  satisfied. 

If  G  is  a  random  oracle,  neither  Alice  nor  Bob  can  distinguish  anything  in  their 
view  from  uniformly  chosen  bits  without  querying  G  at  the  random  string  chosen  by 
the  other.  So  given  a  distinguisher  D  running  in  time  p[k)  for  (x)  with  advantage 
e,  it  is  simple  to  write  an  extractor  which  runs  D,  recording  its  queries  to  G,  picks 
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one  such  query  (say,  q)  uniformly,  and  outputs  G(q)  ©  F0.  Since  D  can  only  have  an 
advantage  when  it  queries  ri,  E  will  pick  q  =  rq  with  probability  at  least  l/p(k)  and 
in  this  case  correctly  outputs  f(x o,  aq).  Thus  the  Strong  Internal  Covertness  property 
is  satisfied.  □ 

Weakly  fair  covertness. 

We  can  achieve  a  slightly  weaker  version  of  covertness  without  using  random  oracles. 
II  is  said  to  be  a  weakly  fair  covert  protocol  for  the  channel  B  if  II  is  externally  covert, 
and  has  the  property  that  if  /  is  strongly  fair,  then  for  every  distinguisher  Da  for 
Vjfj  (x)  with  significant  advantage  e,  there  is  a  distinguisher  Di^a  for  V-^\~a  (x)  with 
advantage  0(e) .  Thus  in  a  weakly  fair  covert  protocol,  we  do  not  guarantee  that  both 
parties  get  the  result,  only  that  if  at  some  point  in  the  protocol,  one  party  can  tell 
that  the  other  is  running  the  protocol  with  significant  advantage,  the  same  is  true  for 
the  other  party. 

We  note  that  in  the  above  protocols,  if  the  function  G  is  assumed  to  be  a  pseudo¬ 
random  generator  (rather  than  a  random  oracle),  then  the  resulting  protocol  exhibits 
weakly  fair  covertness.  Suppose  Da  has  significant  advantage  e  after  round  j,  as  in  the 
hypothesis  of  weak  covertness.  Notice  that  given  ri_a[l . . .  j  —  1],  G(r i_CT)  ©  f(x),  the 
remainder  of  Pa' s  view  can  be  simulated  efficiently.  Then  Da  must  be  a  distinguisher 
for  G(r)  given  the  first  j  —  1  bits  of  r.  But  since  /  is  strongly  fair,  P\-a  can  apply 
Da  to  G(ra)  ©  f(x)  by  guessing  at  most  1  bit  of  ra  and  simulating  Pa' s  view  with  his 
own  inputs.  Thus  P\-a  has  advantage  at  least  e/2  —  u{k)  =  fl(e). 
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Chapter  8 


Future  Research  Directions 


While  this  thesis  has  resolved  several  of  the  open  questions  pertaining  to  univer¬ 
sal  steganography,  there  are  still  many  interesting  open  questions  about  theoretical 
steganography.  In  this  section  we  highlight  those  that  seem  most  important. 


8.1  High-rate  steganography 

We  have  shown  that  for  a  universal  blockwise  stegosystem  with  bounded  sample  access 
to  a  channel,  the  optimal  rate  is  bounded  above  by  both  the  minimum  entropy  of  the 
channel  and  the  logarithm  of  the  sample  bound.  Three  general  research  directions 
arise  from  this  result.  First,  a  natural  question  is  what  happens  to  this  bound  if 
we  remove  the  universality  and  blockwise  constraints.  A  second  natural  direction  to 
pursue  is  the  question  of  efficiently  detecting  the  use  of  a  stegosystem  that  exceeds 
the  maximum  secure  rate.  A  third  interesting  question  to  explore  is  the  relationship 
between  extractors  and  stegosystems. 

If  we  do  not  restrict  ourselves  to  consider  universal  blockwise  stegosystems,  there 
is  some  evidence  to  suggest  that  it  is  possible  to  achieve  a  much  higher  rate.  For 
instance,  for  the  uniform  channel  U .  the  INDS-CPA  encryption  scheme  in  section  2 
has  rate  which  converges  to  1.  Likewise,  a  recent  proposal  by  Van  Le  [41]  describes 
a  stegosystem  based  on  the  “folklore”  observation  that  perfect  compression  for  a 
channel  yields  secure  steganography;  the  system  described  there  is  not  universal,  nor 
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is  it  secure  in  a  blockwise  model,  but  the  rate  approaches  the  Shannon  entropy  for 
any  efficiently  sampleable  channel  with  entropy  bounded  by  the  logarithm  of  the 
security  parameter  k.  Thus  it  is  natural  to  wonder  whether  there  is  a  reasonable 
security  model  and  a  reasonable  class  of  nonuniversally  accessible  stegosystems  which 
are  provably  secure  under  this  model,  yet  have  rate  which  substantially  exceeds  that 
of  the  construction  in  Chapter  6. 

We  show  that  any  blockwise  stegosystem  which  exceeds  the  minimum  entropy 
can  be  detected  by  giving  a  detection  algorithm  which  draws  many  samples  from  the 
channel.  It  is  an  interesting  question  whether  the  number  of  samples  required  can  be 
reduced  significantly  for  some  channels.  It  is  not  hard  to  see  that  artificial  channels 
can  be  designed  for  which  this  is  the  case  using,  for  instance,  a  trapdoor  permutation 
for  which  the  warden  knows  the  trapdoor.  However,  a  more  natural  example  would 
be  of  interest. 

The  design  methodology  of  (blockwise)  transforming  the  uniform  channel  to  an 
arbitrary  channel,  as  well  as  the  minimum  entropy  upper  bound  on  the  rate  of  a 
stegosystem  suggest  that  there  is  a  connection  to  extractors.  An  extractor  is  a  func¬ 
tion  that  transforms  a  sample  from  an  arbitrary  blockwise  source  of  minimum  entropy 
m  and  a  short  random  string  into  a  string  of  roughly  m  bits  that  has  distribution  sta¬ 
tistically  close  to  uniform.  (In  fact  a  universal  hash  function  is  an  extractor.)  It  would 
be  interesting  to  learn  whether  there  is  any  deeper  connection  between  stegosystems 
and  extractors,  for  instance,  the  decoding  algorithm  for  a  stegosystem  ( SE,SD )  acts 
as  an  extractor- like  function  for  some  distributions;  in  particular  SDx(-)  optimally 
extracts  entropy  from  the  distribution  SEk(U).  However,  it  is  not  immediately  ob¬ 
vious  how  to  extend  this  to  a  general  extractor. 


8.2  Public  Key  Steganography 

The  necessary  and  sufficient  conditions  for  the  existence  of  a  public-key  stegosystem 
constitute  an  open  question.  Certainly  for  a  universal  stegosystem  the  necessary  and 
sufficient  condition  is  the  existence  of  a  trapdoor  predicate  family  with  domains  that 
are  computationally  indistinguishable  from  a  polynomially  dense  set:  as  we  showed  in 
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Chapter  4,  such  primitives  are  sufficient  for  INDS-CPA  public- key  encryption;  while 
on  the  other  hand,  the  existence  of  a  universal  public-key  stegosystem  implies  the 
existence  of  a  public-key  stegosystem  for  the  uniform  channel,  which  is  by  itself  a 
trapdoor  predicate  family  with  domains  that  are  computationally  indistinguishable 
from  a  set  of  density  1.  Unlike  the  case  with  symmetric  steganography,  however, 
we  are  not  aware  of  a  reduction  from  a  stegosystem  for  an  arbitrary  channel  to  a 
dense-domain  trapdoor  predicate  family. 

In  a  similar  manner,  it  is  an  open  question  whether  steganographic  key  exchange 
protocols  can  be  constructed  based  on  intractability  assumptions  other  than  the  Deci¬ 
sional  Diffie-Hellman  assumption.  This  is  in  contrast  to  cryptographic  key  exchange, 
which  is  implied  by  the  existence  of  any  public-key  encryption  scheme  or  oblivious 
transfer  protocol.  It  is  not  clear  whether  the  existence  of  IND$-CPA  public-key  en¬ 
cryption  implies  the  existence  of  SKE  protocols. 


8.3  Active  attacks 

Concerning  steganography  in  the  presence  of  active  attacks,  several  questions  remain 
open.  Some  standard  cryptographic  questions  remain  about  chosen-covertext  secu¬ 
rity,  and  substitution-robust  steganography.  A  more  important  issue  is  a  model  of  a 
disrupting  adversary  which  more  closely  models  the  type  of  attacks  applied  to  existing 
proposals  in  the  literature  for  robust  stegosystems. 

There  are  several  open  cryptographic  questions  relating  to  chosen-covertext  se¬ 
curity.  For  example,  it  is  not  clear  whether  IND$-CCA-secure  public-key  encryption 
schemes  exist  in  the  standard  model  (without  random  oracles).  As  we  alluded  to 
in  chapter  5,  all  of  the  known  general  constructions  of  chosen-ciphertext  secure  en¬ 
cryption  schemes  are  easily  distinguished  from  random  bits,  and  the  known  schemes 
depending  on  specific  intractability  assumptions  seem  to  depend  on  using  testable 
subgroups.  Another  interesting  question  is  whether  chosen  covertext  security  can  be 
achieved  with  oracle-only  access  to  the  channel.  The  key  problem  here  is  in  ensur¬ 
ing  that  it  is  hard  to  find  more  than  one  valid  encoding  of  a  valid  ciphertext;  this 
seems  difficult  to  accomplish  without  repeatable  access  to  the  channel.  To  avoid  this 
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problem,  Backes  and  Cachin  [7]  have  introduced  the  notion  of  Replayablc  Chosen 
Covertext  (RCCA)  security,  which  is  identical  to  sCCA  security,  with  the  exception 
that  the  adversary  is  forbidden  to  submit  covertexts  which  decode  to  the  challenge 
hiddentext.  The  problem  with  this  approach  is  that  the  replay  attack  seems  to  be  a 
viable  attack  in  the  real  world.  Thus  it  is  an  interesting  question  to  investigate  the 
possibility  of  notions  “in-between”  sCCA  and  RCCA. 

Similar  questions  about  substitution-robustness  remain  open.  It  is  an  interesting 
problem  to  design  a  universal  provably-secure  substitution  robust  stegosystem  that 
requires  only  sender  access  to  the  channel.  Also  of  interest  is  whether  the  require¬ 
ment  that  Bob  can  evaluate  an  admissible  superset  of  the  relation  R  can  be  removed. 
Intuitively,  it  seems  that  the  ability  to  evaluate  R  is  necessary  for  substitution  ro¬ 
bustness,  because  the  decoding  algorithm  evaluates  R  to  an  extent:  if  R(x,y),  then 
it  should  be  the  case  that  SD(x)  =  SD(y)  except  with  negligible  probability.  The 
trouble  with  this  intuition  is  first,  that  there  is  no  requirement  that  decoding  a  single 
document  should  return  anything  meaningful,  and  second,  that  while  such  an  algo¬ 
rithm  evaluates  a  superset  of  R ,  it  may  not  be  admissible.  In  light  of  our  proof  that 
no  stegosystem  can  be  secure  against  both  distinguishing  and  disrupting  adversaries, 
it  is  also  interesting  to  investigate  the  possibility  of  substitution  robustness  against 
adversaries  with  access  to  a  decoding  oracle. 

The  most  important  open  question  concerning  robust  steganography  is  the  mis¬ 
match  between  substitution  robustness  and  the  types  of  attacks  perpetrated  against 
typical  proposals  for  robust  steganography.  Such  attacks  include  strategies  such  as 
splitting  a  single  document  into  a  series  of  smaller  documents  with  the  same  mean¬ 
ing,  merging  two  or  more  documents  into  a  single  document  with  the  same  meaning, 
and  reordering  documents  in  a  list.  Especially  if  there  is  no  bound  on  the  length  of 
sequences  to  which  these  operations  can  be  applied,  it  seems  difficult  to  even  write  a 
general  description  of  the  rules  such  a  warden  must  follow;  and  although  it  is  reason¬ 
ably  straightforward  to  counteract  any  single  attack  in  the  previous  list,  composing 
several  of  them  with  relation-bounded  substitutions  as  well  seems  to  lead  to  attacks 
which  are  difficult  to  defend  against. 
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8.4  Covert  Computation 


In  the  area  of  covert  computation,  this  thesis  leaves  room  for  improvement  and  open 
problems.  For  example,  can  (strongly)  fair  covert  two-party  computation  secure 
against  malicious  adversaries  be  satisfied  without  random  oracles?  It  seems  at  least 
plausible  that  constructions  based  on  concrete  assumptions  such  as  the  “knowledge- 
of-exponent”  assumption  or  the  “generalized  BBS”  assumption  may  allow  construc¬ 
tion  of  such  protocols,  yet  the  obvious  applications  always  destroy  the  final  covertness 
property.  A  related  question  is  whether  covert  two-party  computation  can  be  based  on 
general  cryptographic  assumptions  rather  than  the  specific  Decisional  Diffi  e-Hcllman 
assumption  used  here. 

Another  open  question  is  that  of  improving  the  efficiency  of  the  protocols  presented 
here,  either  by  designing  protocols  for  specific  goals  or  through  adapting  efficient 
two-party  protocols  to  provide  covertness.  A  possible  direction  to  pursue  would  be 
“optimistic”  fairness  involving  a  trusted  third  party.  In  this  case,  though,  there  is  the 
question  of  how  the  third  party  could  “complete”  the  computation  without  revealing 
participation. 

Another  interesting  question  is  whether  the  notion  of  covert  two-party  computa¬ 
tion  can  be  extended  in  some  natural  and  implementable  way  to  multiple  parties. 
Such  a  generalization  could  have  important  applications  in  the  area  of  anonymous 
communications,  allowing,  for  instance,  the  deployment  of  undetectable  anonymous 
remailer  networks.  The  difficulty  here  is  in  finding  a  sensible  model  -  how  can  a 
multiparty  computation  take  place  without  knowing  who  the  other  parties  are?  If 
the  other  parties  are  to  be  known,  how  can  their  participation  be  secret?  What  if 
the  normal  communication  patterns  between  parties  is  not  the  complete  graph?  In 
addition  to  these  difficulties,  the  issues  associated  with  cheating  players  become  more 
complex,  and  there  seems  to  be  no  good  candidate  protocol  for  the  uniform  channel. 
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8.5  Other  models 


The  results  of  Chapter  3  show  that  the  ability  to  sample  from  a  channel  in  our  model  is 
necessary  for  steganographic  communication  using  that  channel.  Since  in  many  cases 
we  do  not  understand  the  channel  well  enough  to  sample  from  it,  a  natural  question 
is  whether  there  exist  models  where  less  knowledge  of  the  distribution  is  necessary; 
such  a  model  will  necessarily  restrict  the  adversary’s  knowledge  of  the  channel  as  well. 
One  intuition  is  that  typical  steganographic  adversaries  are  not  monitoring  the  traffic 
between  a  specific  pair  of  individuals  in  an  effort  to  confirm  suspicious  behavior,  but 
are  monitoring  a  high-volume  stream  of  traffic  between  many  points  looking  for  the 
“most  suspicious”  behavior;  so  stegosystems  which  could  be  detected  by  analyzing 
a  long  sequence  of  communications  might  go  undetected  if  only  single  messages  are 
analyzed.  This  type  of  model  is  tantalizing  because  there  are  unconditionally  secure 
cryptosystems  under  various  assumptions  about  adversaries  with  bounded  storage 
[18,50],  but  it  remains  an  interesting  challenge  to  give  a  satisfying  formal  model  and 
provably  secure  construction  for  this  scenario. 
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